Информационная безопасность
[RU] switch to English


Уязвимости безопасности в OpenStack
дополнено с 4 февраля 2013 г.
Опубликовано:24 марта 2013 г.
Источник:
SecurityVulns ID:12863
Тип:удаленная
Уровень опасности:
5/10
Описание:Утечка информации в Nova и Glance, исчерпание ресурсов в Keystone.
Затронутые продукты:OPENSTACK : glance 2012.2
 OPENSTACK : Nova 2012.2
 OPENSTACK : KeyStone 2012.2
 OPENSTACK : Cinder 2012.2
CVE:CVE-2013-1865 (OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.)
 CVE-2013-1840 (The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image.)
 CVE-2013-1838 (OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) does not properly implement a quota for fixed IPs, which allows remote authenticated users to cause a denial of service (resource exhaustion and failure to spawn new instances) via a large number of calls to the addFixedIp function.)
 CVE-2013-1665 (The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.)
 CVE-2013-1664 (The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.)
 CVE-2013-0335 (OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to gain access to a VM in opportunistic circumstances by using the VNC token for a deleted VM that was bound to the same VNC port.)
 CVE-2013-0282 (OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.)
 CVE-2013-0247 (OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attackers to cause a denial of service (disk consumption) via many invalid token requests that trigger excessive generation of log entries.)
 CVE-2013-0212 (store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive information by reading the error messages.)
 CVE-2013-0208 (The boot-from-volume feature in OpenStack Compute (Nova) Folsom and Essex, when using nova-volumes, allows remote authenticated users to boot from other users' volumes via a volume id in the block_device_mapping parameter.)
Оригинальный текстdocumentUBUNTU, [USN-1772-1] OpenStack Keystone vulnerability (24.03.2013)
 documentUBUNTU, [USN-1771-1] OpenStack Nova vulnerabilities (24.03.2013)
 documentUBUNTU, [USN-1764-1] OpenStack Glance vulnerability (19.03.2013)
 documentUBUNTU, [USN-1730-1] OpenStack Keystone vulnerabilities (24.02.2013)
 documentUBUNTU, [USN-1731-1] OpenStack Cinder vulnerability (24.02.2013)
 documentUBUNTU, [USN-1734-1] OpenStack Nova vulnerability (24.02.2013)
 documentUBUNTU, [USN-1715-1] OpenStack Keystone vulnerability (11.02.2013)
 documentUBUNTU, [USN-1710-1] OpenStack Glance vulnerability (04.02.2013)
 documentUBUNTU, [USN-1709-1] OpenStack Nova vulnerability (04.02.2013)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород