Информационная безопасность
[RU] switch to English


Многочисленные уязвимости безопасности в OpenStack
Опубликовано:24 августа 2014 г.
Источник:
SecurityVulns ID:13927
Тип:библиотека
Уровень опасности:
6/10
Описание:Утечка информации в Ceilometer, утечка информации и DoS в Neutron, DoS в Glance, межсайтовый скриптинг в Horizon, обход ограничений и повышение привилегий в Keystone, тайминг атаки в Nova.
Затронутые продукты:OPENSTACK : Nova 2014.1
 OPENSTACK : Neutron 2014.1
 OPENSTACK : PyCADF 0.5
 OPENSTACK : Ceilometer 2014.1
 OPENSTACK : Keystone 2014.1
 OPENSTACK : Horizon 2014.1
 OPENSTACK : Glance 2014.1
CVE:CVE-2014-5356 (OpenStack Image Registry and Delivery Service (Glance) before 2013.2.4, 2014.x before 2014.1.3, and Juno before Juno-3, when using the V2 API, does not properly enforce the image_size_cap configuration option, which allows remote authenticated users to cause a denial of service (disk consumption) by uploading a large image.)
 CVE-2014-4615 (The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).)
 CVE-2014-3594 (Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.)
 CVE-2014-3555 (OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (crash or long firewall rule updates) by creating a large number of allowed address pairs.)
 CVE-2014-3517 (api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests.)
 CVE-2014-3497 (Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header.)
 CVE-2014-3476 (OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.)
 CVE-2014-3475 (Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578.)
 CVE-2014-3474 (Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name.)
 CVE-2014-3473 (Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template.)
 CVE-2014-0187 (The openvswitch-agent process in OpenStack Neutron 2013.1 before 2013.2.4 and 2014.1 before 2014.1.1 allows remote authenticated users to bypass security group restrictions via an invalid CIDR in a security group rule, which prevents further rules from being applied.)
 CVE-2013-6433 (The default configuration in the Red Hat openstack-neutron package before 2013.2.3-7 does not properly set a configuration file for rootwrap, which allows remote attackers to gain privileges via a crafted configuration file.)
Оригинальный текстdocumentUBUNTU, [USN-2311-2] OpenStack Ceilometer vulnerability (24.08.2014)
 documentUBUNTU, [USN-2321-1] OpenStack Neutron vulnerabilities (24.08.2014)
 documentUBUNTU, [USN-2322-1] OpenStack Glance vulnerability (24.08.2014)
 documentUBUNTU, [USN-2323-1] OpenStack Horizon vulnerabilities (24.08.2014)
 documentUBUNTU, [USN-2324-1] OpenStack Keystone vulnerabilities (24.08.2014)
 documentUBUNTU, [USN-2325-1] OpenStack Nova vulnerability (24.08.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород