Информационная безопасность
[RU] switch to English


Многочисленные уязвимости безопасности в приложениях OpenStack
Опубликовано:1 декабря 2014 г.
Источник:
SecurityVulns ID:14124
Тип:библиотека
Уровень опасности:
6/10
Описание:Утечка информации в OpenStack Cinder, утечка информации в Keystone, утечка информации и обход ограничений в Nova, обход ограничений в Neutron.
Затронутые продукты:OPENSTACK : Cinder 2014.1
 OPENSTACK : Nova 2014.1
 OPENSTACK : Neutron 2014.1
 OPENSTACK : Keystone 2014.1
 OPENSTACK : Trove 2014.1
 OPENSTACK : Neutron 2014.2
CVE:CVE-2014-7230 (The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.)
 CVE-2014-7230 (The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.)
 CVE-2014-6414 (OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors.)
 CVE-2014-3641 (The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.)
 CVE-2014-3621 (The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.)
 CVE-2014-3608 (The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573.)
Оригинальный текстdocumentUBUNTU, [USN-2408-1] OpenStack Neutron vulnerability (01.12.2014)
 documentUBUNTU, [USN-2407-1] OpenStack Nova vulnerabilities (01.12.2014)
 documentUBUNTU, [USN-2406-1] OpenStack Keystone vulnerability (01.12.2014)
 documentUBUNTU, [USN-2405-1] OpenStack Cinder vulnerabilities (01.12.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород