OSSA-2012-001: Tenant bypass by authenticated users using OpenStack API¶

Date:: January 11, 2012
CVE:: CVE-2012-0030

Affects¶

Nova: 2011.3, Essex

Description¶

Nachi Ueno (NTT PF lab), Rohit Karajgi (Vertex) and Venkatesan Ravikumar (HP) discovered a vulnerability in Nova API nodes handling of incoming requests. An authenticated user may craft malicious commands to affect resources on tenants he is not a member of, potentially leading to incorrect billing, quota escaping or compromise of computing resources created by a third-party. Only setups allowing the OpenStack API are affected.

Patches¶

https://review.openstack.org/#/c/2961 (Diablo)
https://review.openstack.org/#/c/2960 (Essex)

Credits¶

Nachi Ueno from NTT PF lab (CVE-2012-0030)
Rohit Karajgi from Vertex (CVE-2012-0030)
Venkatesan Ravikumar from HP (CVE-2012-0030)

References¶

https://launchpad.net/bugs/904072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0030

OSSA-2012-001: Tenant bypass by authenticated users using OpenStack API