Информационная безопасность
[RU] switch to English


Многочисленные уязвимости безопасности в OpenStack
дополнено с 17 июня 2013 г.
Опубликовано:1 июля 2013 г.
Источник:
SecurityVulns ID:13128
Тип:библиотека
Уровень опасности:
6/10
Описание:Обход защиты и обход аутентификации в Keystone, DoS через Nova.
Затронутые продукты:OPENSTACK : Nova 2012.2
 OPENSTACK : KeyStone 2012.2
 OPENSTACK : Grizzly 2013.1
 OPENSTACK : Nova 2013.1
 OPENSTACK : OpenStack Object Storage 1.7
CVE:CVE-2013-4155 (OpenStack Swift before 1.9.1 in Folsom, Grizzly, and Havana allows authenticated users to cause a denial of service ("superfluous" tombstone consumption and Swift cluster slowdown) via a DELETE request with a timestamp that is older than expected.)
 CVE-2013-2161 (XML injection vulnerability in account/utils.py in OpenStack Swift Folsom, Grizzly, and Havana allows attackers to trigger invalid or spoofed Swift responses via an account name.)
 CVE-2013-2157 (OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password.)
 CVE-2013-2104 (python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires.)
 CVE-2013-2096 (OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not verify the virtual size of a QCOW2 image allows local users to cause a denial of service (host file system disk consumption) by creating an image with a large virtual size that does not contain a large amount of data.)
 CVE-2013-2059 (OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token.)
 CVE-2012-4406 (OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.)
 CVE-2012-4406 (OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.)
Оригинальный текстdocumentUBUNTU, [USN-1887-1] OpenStack Swift vulnerabilities (01.07.2013)
 documentUBUNTU, [USN-1831-1] OpenStack Nova vulnerability (17.06.2013)
 documentUBUNTU, [USN-1830-1] OpenStack Keystone vulnerability (17.06.2013)
 documentUBUNTU, [USN-1875-1] OpenStack Keystone vulnerabilities (17.06.2013)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород