OSSA-2014-024: Use of non-constant time comparison operation

OSSA-2014-024: Use of non-constant time comparison operation¶

Date:: July 17, 2014
CVE:: CVE-2014-3517

Affects¶

Nova: Up to 2013.2.3, and 2014.1 to 2014.1.1

Description¶

Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova. By analyzing response times to requests for instance metadata, an attacker may be able to guess a valid instance ID signature. This could allow access to important configuration details of another instance. Only setups configured to proxy metadata requests via Neutron are affected.

Patches¶

https://review.openstack.org/#/c/107398 (Havana)
https://review.openstack.org/#/c/107397 (Icehouse)
https://review.openstack.org/#/c/107396 (Juno)

Credits¶

Alex Gaynor from Rackspace (CVE-2014-3517)

References¶

https://launchpad.net/bugs/1325128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3517

this page last updated: 2024-10-03 16:29:15

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.