OSSA-2012-007: Security groups fail to be set correctly

Date:

June 06, 2012

CVE:

CVE-2012-2654

Affects

• Nova: All versions

Description

HP Cloud Services reported a vulnerability in Nova API handling. When a security group is created via the EC2 or OS API’s that uses a protocol defined in the incorrect case i.e ‘TCP’ rather than ‘tcp’ it causes a later string comparison to fail. This leads to Security Groups not being set correctly. Once he ova DB has been polluted with the incorrect case any subsequent modifications to the security group will also fail. ake Nova resilient to any protocol case inconsistencies that may be in the Nova DB. Users may want to consider sanitizing their database by forcing all protocol entries to lower case, hardening their DB against any failures of future code that may expect the data to be lower case.

Patches

• https://review.openstack.org/#/c/8239 (Diablo)

• https://review.openstack.org/#/c/8238 (Essex)

• https://review.openstack.org/#/c/8237 (Folsom)

Credits

• HP Cloud Services from HP (CVE-2012-2654)

References

• https://launchpad.net/bugs/985184

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2654