openstack
/
ossa
Code Issues Proposed changes

Initial import of advisory information. 

This data has been collected from every advisory
issued by the OpenStack VMT to date. The CVSSv2
information and impacts have been mined from
Red Hat's CVE database. The severity and importance
of these issues may differ from these ratings.
This commit is contained in:
Grant Murphy 2014-07-27 15:08:57 +10:00
commit 659913dd22
85 changed files with 3853 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
OSSA-2011-001.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2011-12-13",
"description": "David Black reported two issues in OpenStack Nova's support for EC2 RegisterImage action. By registering images from malicious tarballs or manifests, an attacker could potentially traverse directories and overwrite files with the rights of the user Nova runs under. Only setups allowing the EC2 API and the S3/RegisterImage method for registering images are affected.",
"id": "2011-001",
"title": "Path traversal issues registering malicious images using EC2 API",
"url": "https://lists.launchpad.net/openstack/msg06105.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"885167",
"894755"
],
"notes": "",
"reporters": [
{
"company": "UNKNOWN",
"name": "David Black"
}
],
"reviews": [
"2283",
"2284"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2011-4596",
"cvss": {
"base_score": "5.8",
"scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

49
OSSA-2012-001.json Normal file
View File

@ -0,0 +1,49 @@
{
"advisory": {
"date": "2012-01-11",
"description": "Nachi Ueno (NTT PF lab), Rohit Karajgi (Vertex) and Venkatesan Ravikumar (HP) discovered a vulnerability in Nova API nodes handling of incoming requests. An authenticated user may craft malicious commands to affect resources on tenants he is not a member of, potentially leading to incorrect billing, quota escaping or compromise of computing resources created by a third-party. Only setups allowing the OpenStack API are affected. ",
"id": "2012-001",
"title": "Tenant bypass by authenticated users using OpenStack API",
"url": "https://lists.launchpad.net/openstack/msg06648.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"904072"
],
"notes": "",
"reporters": [
{
"company": "NTT PF lab",
"name": "Nachi Ueno"
},
{
"company": "Vertex",
"name": "Rohit Karajgi"
},
{
"company": "HP",
"name": "Venkatesan Ravikumar"
}
],
"reviews": [
"2960",
"2961"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-0030",
"cvss": {
"base_score": "6.5",
"scoring_vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"
},
"cwe": "TODO",
"impact": "important"
}
]
}

41
OSSA-2012-002.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2012-03-27",
"description": "Dan Prince reported a vulnerability in Keystone. He discovered that you can remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonablelimit on password length (4 kB).",
"id": "2012-002",
"title": "Extremely long passwords can crash Keystone",
"url": "https://lists.launchpad.net/openstack/msg09193.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"957359"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Dan Prince"
}
],
"reviews": [
"5507",
"5865"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-1572",
"cvss": {
"base_score": "5.0",
"scoring_vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2012-003.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2012-03-29",
"description": "Dan Prince reported a vulnerability in OpenStack Compute (Nova) API servers. By PUTing or POSTing extremely long server names to the OpenStack API, any authenticated user may grow nova-api log files significantly, potentially resulting in disk space exhaustion and denial of service to the affected nova-api nodes. only setups running the OpenStack API are affected. ",
"id": "2012-003",
"title": "Long server names grow nova-api log files significantly",
"url": "https://lists.launchpad.net/openstack/msg09311.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"962515"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Dan Prince"
}
],
"reviews": [
"5955",
"5957"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-1585",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2012-004.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2012-04-17",
"description": "Matthias Weckbecker reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session. ",
"id": "2012-004",
"title": "XSS vulnerability in Horizon log viewer",
"url": "https://lists.launchpad.net/openstack/msg10211.html"
},
"affects": [
{
"product": "horizon",
"version": "TODO"
}
],
"bugs": [
"977944"
],
"notes": "",
"reporters": [
{
"company": "UNKNOWN",
"name": "Matthias Weckbecker"
}
],
"reviews": [
"6618",
"6621"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-2094",
"cvss": {
"base_score": "2.9",
"scoring_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "low"
}
]
}

43
OSSA-2012-005.json Normal file
View File

@ -0,0 +1,43 @@
{
"advisory": {
"date": "2012-04-19",
"description": "Dan Prince reported a vulnerability in Nova. He discovered that there was no limit on the number of security group rules a user can create. By creating a very large set of rules, an unreasonable number of iptables rules will be created on compute nodes, resulting in a denial of service. ",
"id": "2012-005",
"title": "No quota enforced on security group rules",
"url": "https://lists.launchpad.net/openstack/msg10268.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"969545"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Dan Prince"
}
],
"reviews": [
"6653",
"6654",
"6655",
"6656"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-2101",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "low"
}
]
}

41
OSSA-2012-006.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2012-05-04",
"description": "Thomas Biege from SUSE reported a vulnerability in OpenStack Dashboard (Horizon). Under specific circumstances it is possible to reuse session cookies from another user, potentially allowing access to unauthorized information and capabilities. ",
"id": "2012-006",
"title": "Horizon session fixation and reuse",
"url": "https://lists.launchpad.net/openstack/msg11263.html"
},
"affects": [
{
"product": "horizon",
"version": "TODO"
}
],
"bugs": [
"978896"
],
"notes": "Incorrect CVE listed in advisory: CVE-2012-05-04",
"reporters": [
{
"company": "SUSE",
"name": "Thomas Biege"
}
],
"reviews": [
"7144",
"7145"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-2144",
"cvss": {
"base_score": "5.8",
"scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2012-007.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2012-06-06",
"description": "HP Cloud Services reported a vulnerability in Nova API handling. When a security group is created via the EC2 or OS API's that uses a protocol defined in the incorrect case i.e 'TCP' rather than 'tcp' it causes a later string comparison to fail. This leads to Security Groups not being set correctly. Once he ova DB has been polluted with the incorrect case any subsequent modifications to the security group will also fail. ake Nova resilient to any protocol case inconsistencies that may be in the Nova DB. Users may want to consider sanitizing their database by forcing all protocol entries to lower case, hardening their DB against any failures of future code that may expect the data to be lower case. ",
"id": "2012-007",
"title": "Security groups fail to be set correctly",
"url": "https://lists.launchpad.net/openstack/msg12883.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"985184"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "HP Cloud Services"
}
],
"reviews": [
"8238",
"8239"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-2654",
"cvss": {
"base_score": "2.1",
"scoring_vector": "AV:N/AC:H/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "low"
}
]
}

55
OSSA-2012-008.json Normal file
View File

@ -0,0 +1,55 @@
{
"advisory": {
"date": "2012-07-03",
"description": "Matthias Weckbecker from SUSE Security team reported a vulnerability in Nova compute nodes handling of file injection in disk images. By requesting iles to be injected in malicious paths, a remote authenticated user could inject files in arbitrary locations on the host file system, potentially resulting in full compromise of the compute node. Only Essex and later setups running the OpenStack API over libvirt-based hypervisors are affected. Upon further inspection of the code, P\u00e1draig Brady from Red Hat found an additional vulnerability. By crafting a malicious image and requesting an instance based on it, a remote authenticated user may corrupt arbitrary files on the host filesystem, potentially resulting in a denial of service. This affects all setups. ",
"id": "2012-008",
"title": "Arbitrary file injection/corruption through directory traversal",
"url": "https://lists.launchpad.net/openstack/msg14089.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1015531"
],
"notes": "",
"reporters": [
{
"company": "SUSE",
"name": "Matthias Weckbecker"
},
{
"company": "Red Hat",
"name": "P\u00e1draig Brady"
}
],
"reviews": [
"9266",
"9267",
"9268"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-3360",
"cvss": {
"base_score": "6.0",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"
},
"cwe": "TODO",
"impact": "moderate"
},
{
"cve": "CVE-2012-3361",
"cvss": {
"base_score": "3.5",
"scoring_vector": "AV:N/AC:M/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2012-009.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2012-07-11",
"description": "Dan Prince from Red Hat reported a vulnerability in Nova scheduler nodes. By creating servers with malicious scheduler_hints, an authenticated user may generate a huge amount of database calls, potentially resulting in a Denial of Service attack against Nova scheduler nodes. Only setups exposing the OpenStack API and enabling DifferentHostFilter and/or SameHostFilter are affected. ",
"id": "2012-009",
"title": "Scheduler denial of service through scheduler_hints",
"url": "https://lists.launchpad.net/openstack/msg14452.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1017795"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Dan Prince"
}
],
"reviews": [
"9637",
"9639"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-3371",
"cvss": {
"base_score": "3.5",
"scoring_vector": "AV:N/AC:M/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "low"
}
]
}

47
OSSA-2012-010.json Normal file
View File

@ -0,0 +1,47 @@
{
"advisory": {
"date": "2012-07-27",
"description": "Derek Higgins reported various issues affecting Keystone token expiration. A token expiration date can be circumvented by continuously creating new tokens before the old one has expired. Existing tokens also remain valid after a user account is disabled or after an account password changed. An authenticated and authorized user could potentially leverage those vulnerabilities to extend his access beyond the account owner expectations.",
"id": "2012-010",
"title": "Various Keystone token expiration issues",
"url": "https://lists.launchpad.net/openstack/msg15164.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"998185",
"997194",
"996595"
],
"notes": "",
"reporters": [
{
"company": "UNKNOWN",
"name": "Derek Higgins"
}
],
"reviews": [
"8174",
"8573",
"7344",
"8456",
"7276",
"8454"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-3426",
"cvss": {
"base_score": "4.9",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2012-011.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2012-08-07",
"description": "P\u00e1draig Brady from Red Hat discovered that the fix implemented for CVE-2012-3361 (OSSA-2012-008) was not covering all attack scenarios. By crafting a malicious image with root-readable-only symlinks and requesting a server based on it, an authenticated user could still corrupt arbitrary files (all setups affected) or inject arbitrary files (Essex and later setups with OpenStack API enabled and a libvirt-based hypervisor) on the host filesystem, potentially resulting in full compromise of that compute node.",
"id": "2012-011",
"title": "Compute node filesystem injection/corruption",
"url": "https://lists.launchpad.net/openstack/msg15549.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1031311"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "P\u00e1draig Brady"
}
],
"reviews": [
"10951",
"10952",
"10953"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-3447",
"cvss": {
"base_score": "3.5",
"scoring_vector": "AV:N/AC:M/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

40
OSSA-2012-012.json Normal file
View File

@ -0,0 +1,40 @@
{
"advisory": {
"date": "2012-08-30",
"description": "Thomas Biege from SUSE reported a vulnerability in Horizon authentication mechanism. By adding a malicious 'next' parameter to a Horizon authentication URL and enticing an unsuspecting user to follow it, the victim might get redirected after authentication to a malicious site where useful information could be extracted. Only setups running Essex are affected.",
"id": "2012-012",
"title": "Open redirect through 'next' parameter",
"url": "https://lists.launchpad.net/openstack/msg16278.html"
},
"affects": [
{
"product": "horizon",
"version": "TODO"
}
],
"bugs": [
"1039077"
],
"notes": "",
"reporters": [
{
"company": "SUSE",
"name": "Thomas Biege"
}
],
"reviews": [
"12193"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-3542",
"cvss": {
"base_score": "5.0",
"scoring_vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "important"
}
]
}

40
OSSA-2012-013.json Normal file
View File

@ -0,0 +1,40 @@
{
"advisory": {
"date": "2012-08-30",
"description": "Dolph Mathews reported a vulnerability in Keystone. When attempting to update a user's default tenant, Keystone will only partially deny the request when a user is not authorized to complete this action. The API responds with 401 Not Authorized and the user's default tenant is not changed. However, the user is still granted membership to this new tenant.The result is that any client that can reach the administrative API (deployed on port 35357, by default) can add any user to any tenant.",
"id": "2012-013",
"title": "Lack of authorization for adding users to tenants",
"url": "https://lists.launchpad.net/openstack/msg16282.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1040626"
],
"notes": "",
"reporters": [
{
"company": "Rackspace",
"name": "Dolph Mathews"
}
],
"reviews": [
"12194"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-3542",
"cvss": {
"base_score": "5.0",
"scoring_vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "important"
}
]
}

41
OSSA-2012-014.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2012-09-12",
"description": "Dolph Mathews reported a vulnerability in Keystone. Granting and revoking roles from a user is not reflected upon token validation for pre-existing tokens. Pre-existing tokens continue to be valid for the original set of roles for the remainder of the token's lifespan, or until explicitly invalidated. This fix invalidates all tokens held by a user upon role grant/revoke to circumvent the issue. ",
"id": "2012-014",
"title": "Revoking a role does not affect existing tokens",
"url": "https://lists.launchpad.net/openstack/msg16659.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1041396"
],
"notes": "",
"reporters": [
{
"company": "Rackspace",
"name": "Dolph Mathews"
}
],
"reviews": [
"12868",
"12870"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-4413",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

44
OSSA-2012-015.json Normal file
View File

@ -0,0 +1,44 @@
{
"advisory": {
"date": "2012-09-28",
"description": "Jaxon Xu reported a vulnerability in Keystone. Two admin API actions did not require a valid token. The first was listing roles for a user. The second as the ability to get, create, and delete services.",
"id": "2012-015",
"title": "Some actions in Keystone admin API do not validate token",
"url": "https://lists.launchpad.net/openstack/msg17034.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1006815",
"1006822"
],
"notes": "",
"reporters": [
{
"company": "UNKNOWN",
"name": "Jason Xu"
}
],
"reviews": [
"8104",
"9014",
"8105",
"9015"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-4456",
"cvss": {
"base_score": "7.5",
"scoring_vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2012-016.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2012-09-28",
"description": "Rohit Karajgi reported a vulnerability in Keystone. It was possible to get a token that is authorized for a disabled tenant. Once the token is established with authorization on the tenant, keystone would respond 200 OK to token validation requests from other OpenStack services, allowing the user to work with the tenant's resources. ",
"id": "2012-016",
"title": "Token authorization for a user in a disabled tenant is allowed",
"url": "https://lists.launchpad.net/openstack/msg17035.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"988920"
],
"notes": "",
"reporters": [
{
"company": "NTT Data",
"name": "Rohit Karajgi"
}
],
"reviews": [
"9862",
"10534"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-4457",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

54
OSSA-2012-017.json Normal file
View File

@ -0,0 +1,54 @@
{
"advisory": {
"date": "2012-11-07",
"description": "Gabe Westmaas from Rackspace reported a vulnerability in Glance authentication of image deletion requests. Authenticated users may be able to delete arbitrary, non-protected images from Glance servers. Only Folsom/Grizzly deployments that expose the v1 API are affected by this vulnerability. Additionally, Essex deployments that use the delayed_delete option are also affected.",
"id": "2012-017",
"title": "Authentication bypass for image deletion",
"url": "https://lists.launchpad.net/openstack/msg18386.html, https://lists.launchpad.net/openstack/msg18466.html"
},
"affects": [
{
"product": "glance",
"version": "TODO"
}
],
"bugs": [
"1065187",
"1076506"
],
"notes": "OSSA-2012-017.1 ERRATA",
"reporters": [
{
"company": "Rackspace",
"name": "Gabe Westmaas"
}
],
"reviews": [
"15562",
"15563",
"15564",
"15658",
"15659"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-4573",
"cvss": {
"base_score": "2.1",
"scoring_vector": "AV:N/AC:H/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "low"
},
{
"cve": "CVE-2012-5482",
"cvss": {
"base_score": "UNKNOWN",
"scoring_vector": "UNKNOWN"
},
"cwe": "TODO",
"impact": "UNKNOWN"
}
]
}

42
OSSA-2012-018.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2012-11-28",
"description": "Vijaya Erukala reported a vulnerability in Keystone EC2-style credentials invalidation: when a user is removed from a tenant, issued EC2-style credentials would continue to be valid for that tenant. An authenticated and authorized user could potentially leverage this vulnerability to extend his access beyond the account owner expectations. Only setups enabling EC2-style credentials (for example enabling EC2 API in Nova) are affected.",
"id": "2012-018",
"title": "EC2-style credentials invalidation issue",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2012-November/000055.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1064914"
],
"notes": "",
"reporters": [
{
"company": "UNKNOWN",
"name": "Vijaya Erukala"
}
],
"reviews": [
"16028",
"16304",
"16760"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-5571",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2012-019.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2012-11-28",
"description": "Anndy reported a vulnerability in token chaining in Keystone. A token expiration date can be circumvented by creating a new token before the old one has expired. An authenticated and authorized user could potentially leverage this vulnerability to extend his access beyond the account owner expectations. Note: this vulnerability was fixed in the past (CVE-2012-3426) but was reintroduced in Folsom when code was refactored to support PKI tokens.",
"id": "2012-019",
"title": "Extension of token validity through token chaining",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2012-November/000056.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1079216"
],
"notes": "",
"reporters": [
{
"company": "UNKNOWN",
"name": "Anndy"
}
],
"reviews": [
"17050",
"17051"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-5563",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2012-020.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2012-12-11",
"description": "Eric Windisch from Cloudscaling reported a vulnerability in libvirt LVM-backed instances. The physical volume content was not wiped out before being deallocated and passed to an instance, which may result in the disclosure of information from previously-allocated logical volumes.Only setups using libvirt and LVM-backed instances (libvirt_images_type=lvm) are affected. ",
"id": "2012-020",
"title": "Information leak in libvirt LVM-backed instances",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2012-December/000059.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1070539"
],
"notes": "",
"reporters": [
{
"company": "Cloudscaling",
"name": "Eric Windisch"
}
],
"reviews": [
"17856",
"17857"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2012-5625",
"cvss": {
"base_score": "1.5",
"scoring_vector": "AV:L/AC:M/Au:S/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "low"
}
]
}

42
OSSA-2013-001.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-01-29",
"description": "Phil Day from HP reported a vulnerability in volume attachment in nova-volume, affecting the boot-from-volume feature. By passing a specific volume ID, an authenticated user may be able to boot from a volume he doesn't own, potentially resulting in full access to that 3rd-party volume contents. Folsom setups making use of Cinder are not affected. ",
"id": "2013-001",
"title": "Boot from volume allows access to random volumes",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-January/000070.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1069904"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Phil Day"
}
],
"reviews": [
"20698",
"20699",
"20700"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-0208",
"cvss": {
"base_score": "6.5",
"scoring_vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"
},
"cwe": "TODO",
"impact": "important"
}
]
}

42
OSSA-2013-002.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-01-29",
"description": "Dan Prince of Red Hat discovered an issue in Glance error reporting. By creating an image in Glance by URL that references a mis-configured Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image references for any reason becomes unusable, an authenticated user may access the Glance operator's Swift credentials for that endpoint. Only setups that use the single-tenant Swift store are affected. ",
"id": "2013-002",
"title": "Backend password leak in Glance error message",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-January/000071.html"
},
"affects": [
{
"product": "glance",
"version": "TODO"
}
],
"bugs": [
"1098962"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Dan Prince"
}
],
"reviews": [
"20695",
"20696",
"20697"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-0212",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "important"
}
]
}

42
OSSA-2013-003.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-02-05",
"description": "Dan Prince of Red Hat reported a vulnerability in token creation error handling in Keystone. By requesting lots of invalid tokens, an unauthenticated user may fill up logs on Keystone API servers disks, potentially resulting in a denial of service attack against Keystone. ",
"id": "2013-003",
"title": "Keystone denial of service through invalid token requests",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000074.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1098307"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Dan Prince"
}
],
"reviews": [
"21213",
"21215",
"21216"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-0247",
"cvss": {
"base_score": "5.0",
"scoring_vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

73
OSSA-2013-004.json Normal file
View File

@ -0,0 +1,73 @@
{
"advisory": {
"date": "2013-02-19",
"description": "Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent independently reported a vulnerabilities in the parsing of XML requests in Python XML libraries used in Keystone, Nova and Cinder. By using entities in XML requests, an unauthenticated attacker may consume excessive resources on the Keystone, Nova or Cinder API servers, resulting in a denial of service and potentially a crash (CVE-2013-1664). Authenticated attackers may also leverage XML entities to read the content of a local file on the Keystone API server (CVE-2013-1665). This only affects servers with XML support enabled.",
"id": "2013-004",
"title": "Information leak and Denial of Service using XML entities",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
},
{
"product": "nova",
"version": "TODO"
},
{
"product": "cinder",
"version": "TODO"
}
],
"bugs": [
"1100282",
"1100279"
],
"notes": "",
"reporters": [
{
"company": "NCC Group",
"name": "Jonathan Murray"
},
{
"company": "Yahoo!",
"name": "Joshua Harlow"
},
{
"company": "UNKNOWN",
"name": "StuartStent"
}
],
"reviews": [
"22309",
"22310",
"22315",
"22312",
"22311",
"22314",
"22313",
"22316"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-1664",
"cvss": {
"base_score": "4.3",
"scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
},
{
"cve": "CVE-2013-1665",
"cvss": {
"base_score": "5.8",
"scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2013-005.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-02-19",
"description": "Nathanael Burton reported a vulnerability in EC2-style authentication in Keystone. Keystone fails to check whether a user, tenant, or domain is enabled before authenticating a user using the EC2 api. Authenticated, but disabled users (or authenticated users in disabled tenants or domains) could therefore retain access rights that were thought removed. Only setups enabling EC2-style authentication are affected. To disable EC2-style authentication to work around the issue, remove the EC2 extension (keystone.contrib.ec2:Ec2Extension.factory) from the keystone API pipeline in keystone.conf. ",
"id": "2013-005",
"title": "EC2-style authentication accepts disabled user/tenants",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000079.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1121494"
],
"notes": "",
"reporters": [
{
"company": "National Security Agency",
"name": "Nathanael Burton"
}
],
"reviews": [
"22319",
"22320",
"22321"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-0282",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

48
OSSA-2013-006.json Normal file
View File

@ -0,0 +1,48 @@
{
"advisory": {
"date": "2013-02-26",
"description": "Loganathan Parthipan (HP) and Rohit Karajgi (NTT Data) independently reported a vulnerability in Nova. If a user requests a console and then deletes the VM, it is possible that the console token could allow connectivity to a different VM before the console token expires if the VNC port gets reused in that time period. This issue can be worked around by disabling VNC support. ",
"id": "2013-006",
"title": "VNC proxy can connect to the wrong VM",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000082.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1125378"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Loganathan Parthipan"
},
{
"company": "NTT Data",
"name": "Rohit Karajgi"
}
],
"reviews": [
"22086",
"22616",
"22872",
"23768",
"22758"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-0335",
"cvss": {
"base_score": "6.0",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2013-007.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-03-14",
"description": "Stuart McLaren from HP reported a vulnerability in the information potentially returned to the user in Glance v1 API. If an authenticated user requests, through the v1 API, an image that is already cached, the headers returned may disclose the Glance operator's backend credentials for that endpoint. Only setups accepting the Glance v1 API and using either the single-tenant Swift store or S3 store are affected.",
"id": "2013-007",
"title": "Backend credentials leak in Glance v1 API",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-March/000085.html"
},
"affects": [
{
"product": "glance",
"version": "TODO"
}
],
"bugs": [
"1135541"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Stuart McLaren"
}
],
"reviews": [
"24437",
"24438",
"24439"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-1840",
"cvss": {
"base_score": "3.5",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2013-008.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-03-14",
"description": "Vish Ishaya reported a vulnerability in Nova where there is no quota for Fixed IPs. Previously the instance quota acted as a proxy for a Fixed IP quota, but if your configuration allows an instance to consume more than one Fixed IP via an extension such as multinic then this is no longer true. Running out of Fixed IPs would result in not being able to spawn new instances.",
"id": "2013-008",
"title": "Nova DoS by allocating all Fixed IPs",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-March/000086.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1125468"
],
"notes": "",
"reporters": [
{
"company": "Nebula",
"name": "Vish Ishaya"
}
],
"reviews": [
"24451",
"24452",
"24453"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-1838",
"cvss": {
"base_score": "4.3",
"scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "low"
}
]
}

40
OSSA-2013-009.json Normal file
View File

@ -0,0 +1,40 @@
{
"advisory": {
"date": "2013-03-20",
"description": "Guang Yee from HP reported a vulnerability in the revocation check for Keystone PKI tokens. Those tokens are supposed to be validated locally using cryptographic checks, but the user also has the option of asking the server to validate them. In that case, the online verification of PKI tokens would bypass the revocation check, potentially affirming revocated tokens are still valid. Only Folsom setups making use of online verification of PKI tokens are affected.",
"id": "2013-009",
"title": "Keystone PKI tokens online validation bypasses revocation check",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-March/000087.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1129713"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Guang Yee"
}
],
"reviews": [
"24906"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-1865",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

46
OSSA-2013-010.json Normal file
View File

@ -0,0 +1,46 @@
{
"advisory": {
"date": "2013-05-09",
"description": "Grant Murphy from Red Hat and Anton Lundin both independently reported a vulnerability in Nova's default location for the Keystone middleware signing directory (signing_dir). By previously setting up a malicious directory structure, an attacker with local shell access on the Nova node could potentially issue forged tokens that would be accepted by the middleware. Only setups that use the default value for signing_dir are affected. Note that future versions of the Keystone middleware will issue a warning if an insecure signing directory is used. ",
"id": "2013-010",
"title": "Nova uses insecure keystone middleware tmpdir by default",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-May/000098.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1174608"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Grant Murphy"
},
{
"company": "UNKNOWN",
"name": "Anton Lundin"
}
],
"reviews": [
"28568",
"28569",
"28570"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-2030",
"cvss": {
"base_score": "2.1",
"scoring_vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "low"
}
]
}

42
OSSA-2013-011.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-05-09",
"description": "Sam Stoelinga reported a vulnerability in Keystone. When users are deleted through Keystone v2 API, existing tokens for those users are not immediately invalidated and remain valid for the duration of the token's life (by default, up to 24 hours). This may result in users retaining access when the administrator of the system thought them disabled. You can workaround this issue by disabling a user before deleting it: in that case the tokens belonging to the disabled user are immediately invalidated. Keystone setups using the v3 API call to delete users are unaffected.",
"id": "2013-011",
"title": "Keystone tokens not immediately invalidated when user is deleted",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-May/000099.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1166670"
],
"notes": "",
"reporters": [
{
"company": "UNKNOWN",
"name": "Sam Stoelinga"
}
],
"reviews": [
"28677",
"28678",
"28679"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-2059",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

45
OSSA-2013-012.json Normal file
View File

@ -0,0 +1,45 @@
{
"advisory": {
"date": "2013-05-16",
"description": "Loganathan Parthipan publicly reported a vulnerability in Nova. Nova did not implement checking for the virtual size of a qcow2 image used as ephemeral storage for instances. It is therefore possible for a user to create an image which has a large virtual size, but little data. Once the instance is created, the user can then proceed to fill the virtual disk, and consume all available disk on the host node file system. ",
"id": "2013-012",
"title": "Nova fails to verify image virtual size",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-May/000102.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1177830"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Loganathan Parthipan"
}
],
"reviews": [
"28717",
"28901",
"29192",
"54765",
"54767",
"54768"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-2096",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

40
OSSA-2013-013.json Normal file
View File

@ -0,0 +1,40 @@
{
"advisory": {
"date": "2013-05-23",
"description": "Jake Dahn from Nebula reported a vulnerability that the keystone client only allows passwords to be updated in a clear text command-line argument, which may enable other local users to obtain sensitive information by listing the process and potentially leaves a record of the password within the shell command history.",
"id": "2013-013",
"title": "Keystone client local information disclosure",
"url": "https://lists.launchpad.net/openstack/msg23923.html"
},
"affects": [
{
"product": "python-keystoneclient",
"version": "TODO"
}
],
"bugs": [
"938315"
],
"notes": "",
"reporters": [
{
"company": "Nebula",
"name": "Jake Dahn"
}
],
"reviews": [
"28702"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-2013",
"cvss": {
"base_score": "2.1",
"scoring_vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "low"
}
]
}

49
OSSA-2013-014.json Normal file
View File

@ -0,0 +1,49 @@
{
"advisory": {
"date": "2013-05-28",
"description": "Eoghan Glynn from Red Hat and Alex Meade from Rackspace both reported a vulnerability in expiry checks for PKI tokens in the Keystone authentication middleware. Expired tokens for authenticated users could continue to be used, potentially resulting in the bypass of intended security policies. The effect of PKI token revocation is also reversed when the token expires, in the sense that a revoked token is once again treated as being valid. Only setups using PKI tokens are affected.",
"id": "2013-014",
"title": "Missing expiration check in Keystone PKI tokens validation",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-May/000106.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
},
{
"product": "python-keystoneclient",
"version": "TODO"
}
],
"bugs": [
"1179615"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Eoghan Glynn"
},
{
"company": "Rackspace",
"name": "Alex Meade"
}
],
"reviews": [
"30742",
"30743"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-2104",
"cvss": {
"base_score": "2.6",
"scoring_vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2013-015.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-06-13",
"description": "Jose Castro Leon from CERN reported a vulnerability in the way the Keystone LDAP backend authenticates users. When provided with an empty password, the backend would perform an anonymous LDAP bind that would result in successfully authenticating the user. An attacker could therefore easily impersonate and get valid tokens for any user. Only Keystone setups using LDAP authentication backend are affected.",
"id": "2013-015",
"title": "Authentication bypass when using LDAP backend",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-June/000111.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1187305"
],
"notes": "",
"reporters": [
{
"company": "CERN",
"name": "Jose Castro Leon"
}
],
"reviews": [
"32896",
"32895",
"32894"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-2157",
"cvss": {
"base_score": "5.0",
"scoring_vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "important"
}
]
}

43
OSSA-2013-016.json Normal file
View File

@ -0,0 +1,43 @@
{
"advisory": {
"date": "2013-06-13",
"description": "Alex Gaynor from Rackspace reported a vulnerability in XML handling within Swift account servers. Account strings were unescaped in XML listings, and an attacker could potentially generate unparsable or arbitrary XML responses which may be used to leverage other vulnerabilities in the calling software.",
"id": "2013-016",
"title": "Unchecked user input in Swift XML responses",
"url": "https://lists.launchpad.net/openstack/msg24373.html"
},
"affects": [
{
"product": "swift",
"version": "TODO"
}
],
"bugs": [
"1183884"
],
"notes": "",
"reporters": [
{
"company": "Rackspace",
"name": "Alex Gaynor"
}
],
"reviews": [
"32905",
"32909",
"32911",
"32982"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-2161",
"cvss": {
"base_score": "5.8",
"scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

50
OSSA-2013-017.json Normal file
View File

@ -0,0 +1,50 @@
{
"advisory": {
"date": "2013-06-19",
"description": "Paul McMillan from Nebula reported multiple issues in the implementation of memcache signing/encryption feature in Keystone client middleware. An attacker with direct write access to the memcache backend (or in a man-in-the-middle position) could insert malicious data and potentially bypass the encryption (CVE-2013-2166) or signing (CVE-2013-2167) security strategy that was specified. Only setups that make use of memcache caching in the Keystone middleware (specify memcache_servers) and using ENCRYPT or MAC as their memcache_security_strategy are affected.",
"id": "2013-017",
"title": "Issues in Keystone middleware memcache signing/encryption feature",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-June/000114.html"
},
"affects": [
{
"product": "python-keystoneclient",
"version": "TODO"
}
],
"bugs": [
"1175367",
"1175368"
],
"notes": "",
"reporters": [
{
"company": "Nebula",
"name": "Paul McMillan"
}
],
"reviews": [
"33661"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-2166",
"cvss": {
"base_score": "7.5",
"scoring_vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
},
"cwe": "TODO",
"impact": "important"
},
{
"cve": "CVE-2013-2167",
"cvss": {
"base_score": "7.5",
"scoring_vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
},
"cwe": "TODO",
"impact": "important"
}
]
}

40
OSSA-2013-018.json Normal file
View File

@ -0,0 +1,40 @@
{
"advisory": {
"date": "2013-07-30",
"description": "Thomas Leaman from HP reported that the Python Glance client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in the-middle attack and access the contents of the Glance client request (or response).",
"id": "2013-018",
"title": "Missing SSL certificate check in Python glance client",
"url": "http://lists.openstack.org/pipermail/openstack/2013-July/000076.html"
},
"affects": [
{
"product": "python-glanceclient",
"version": "TODO"
}
],
"bugs": [
"1192229"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Thomas Leaman"
}
],
"reviews": [
"33464"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-4111",
"cvss": {
"base_score": "5.0",
"scoring_vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2013-019.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-08-06",
"description": "hzrandd from NetEase reported a resource limit circumvention vulnerability in Nova's handling of private flavors. Any tenant is able to show and boot any other tenant's private flavors by guessing a flavor ID. This not only exposes the flavor's name, memory and disk size, swap allocation, VCPU count and similar flavor properties, but potentially allows circumvention of any resource limits enforced through the os-flavor-access:is_public property.",
"id": "2013-019",
"title": "Resource limit circumvention in Nova private flavors",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-August/000126.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1194093"
],
"notes": "",
"reporters": [
{
"company": "NetEase",
"name": "hzrandd"
}
],
"reviews": [
"34963",
"37992",
"38318"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-2256",
"cvss": {
"base_score": "5.5",
"scoring_vector": "AV:N/AC:L/Au:S/C:P/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2013-020.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-08-06",
"description": "Vishvananda Ishaya from Nebula reported a denial of service vulnerability in Nova's handling of network source security group policy updates. By performing a large number of server creation operations, the proportion of updates increases quadratically and may overwhelm nova-network such that it is no longer able to service other requests in a timely fashion. Only setups relying on nova-network are affected.",
"id": "2013-020",
"title": "Denial of Service in Nova network source security groups",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-August/000127.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1184041"
],
"notes": "",
"reporters": [
{
"company": "Nebula",
"name": "Vishvananda Ishaya"
}
],
"reviews": [
"39541",
"39543",
"39544"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-4185",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2013-021.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2013-08-07",
"description": "Rongze Zhu from UnitedStack reported a vulnerability in the Cinder LVM volume driver. The contents of LVM snapshots may not be cleared upon deletion even when secure deletes are configured, resulting in potential exposure of latent data to subsequent servers for other tenants. Only setups using LVMVolumeDriver are affected.",
"id": "2013-021",
"title": "Cinder LVM volume driver does not support secure deletion",
"url": "http://lists.openstack.org/pipermail/openstack/2013-August/000415.html"
},
"affects": [
{
"product": "cinder",
"version": "TODO"
}
],
"bugs": [
"1198185"
],
"notes": "",
"reporters": [
{
"company": "UnitedStack",
"name": "Rongze Zhu"
}
],
"reviews": [
"36506",
"39565"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-4183",
"cvss": {
"base_score": "3.5",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2013-022.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-08-07",
"description": "Peter Portante from Red Hat reported a vulnerability in Swift. Byissuing requests with an old X-Timestamp value, an authenticatedattacker can fill an object server with superfluous object tombstones,which may significantly slow down subsequent requests to that objectserver, facilitating a Denial of Service attack against Swift clusters.",
"id": "2013-022",
"title": "Swift Denial of Service using superfluous object tombstones",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-August/000131.html"
},
"affects": [
{
"product": "swift",
"version": "TODO"
}
],
"bugs": [
"1196932"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Peter Portante"
}
],
"reviews": [
"40643",
"40645",
"40646"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-4155",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

56
OSSA-2013-023.json Normal file
View File

@ -0,0 +1,56 @@
{
"advisory": {
"date": "2013-08-08",
"description": "Grant Murphy from Red Hat reported that vulnerabilities in XML request parsers were not fully patched in OSSA 2013-004. By leveraging XML entity expansion in specific extensions, an unauthenticated attacker may still consume excessive resources on the Nova (CVE-2013-4179) or Cinder (CVE-2013-4202) API servers, resulting in a denial of service and potentially a crash. Only Nova setups making use of the security group extension in Grizzly are affected. Only Cinder setups making use of the backups or volume transfer API extension in Grizzly are affected.",
"id": "2013-023",
"title": "Denial of Service using XML entities in Nova/Cinder extensions",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-August/000133.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
},
{
"product": "cinder",
"version": "TODO"
}
],
"bugs": [
"1190229"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Grant Murphy"
}
],
"reviews": [
"40879",
"40881",
"40880",
"40883"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-4179",
"cvss": {
"base_score": "5.5",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
},
{
"cve": "CVE-2013-4202",
"cvss": {
"base_score": "5.0",
"scoring_vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2013-024.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-08-28",
"description": "Ken'ichi Ohmichi from NEC reported that the fix for OSSA 2013-019 (CVE-2013-2256) was incomplete. Any tenant was still able to boot any other tenant's private flavors by guessing a flavor ID. This potentially allowed circumvention of any resource limits enforced through the os-flavor-access:is_public property.",
"id": "2013-024",
"title": "Resource limit circumvention in Nova private flavors",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-August/000138.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1212179"
],
"notes": "",
"reporters": [
{
"company": "NEC",
"name": "Ken'ichi Ohmichi"
}
],
"reviews": [
"42922",
"43281",
"43296"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-4278",
"cvss": {
"base_score": "5.5",
"scoring_vector": "AV:N/AC:L/Au:S/C:P/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2013-025.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2013-09-11",
"description": "Kieran Spear from the University of Melbourne reported a vulnerability in Keystone memcache and KVS token backends. The PKI token revocation lists stored the entire token instead of the token ID, triggering comparison failures, ultimately resulting in revoked PKI tokens still being considered valid. Only Folsom and Grizzly Keystone setups making use of PKI tokens with the memcache or KVS token backends are affected. Havana setups, setups using UUID tokens, or setups using PKI tokens with the SQL token backend are all unaffected.",
"id": "2013-025",
"title": " Token revocation failure using Keystone memcache/KVS backends",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-September/000142.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1202952"
],
"notes": "",
"reporters": [
{
"company": "University of Melbourne",
"name": "Kieran Spear"
}
],
"reviews": [
"46079",
"46080"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-4294",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

43
OSSA-2013-026.json Normal file
View File

@ -0,0 +1,43 @@
{
"advisory": {
"date": "2013-09-12",
"description": "Jaroslav Henner from Red Hat reported a vulnerability in Nova when using Apache Qpid as the RPC backend. By sending any random text longer than 65K characters to an instance console and requesting the console log contents through the API, an authenticated user may disrupt the nova-compute node his instance is running on. This vulnerability could be leveraged in a Denial of Service attack against the cloud provider. Only Folsom and Grizzly setups using Qpid as their RPC backend are affected. Havana setups, or setups using other RPC backends (like RabbitMQ), are all unaffected.",
"id": "2013-026",
"title": "Potential denial of service on Nova when using Qpid",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-September/000143.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1215091"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Jaroslav Henner"
}
],
"reviews": [
"44695",
"44700",
"45426",
"43303"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-4261",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2013-027.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2013-10-22",
"description": "Stuart McLaren from HP reported a vulnerability in Glance download_image policy enforcement in the case of cached images. Deployers may opt to set a download_image policy to restrict image download to specific roles. However, when an image is previously cached by an authorized download, any authenticated user could download image contents if it can determine the image UUID, bypassing any download_image policy restrictions. This could result in disclosure of image contents that were thought to be protected by the download_image policy setting. Only setups making use of the download_image policy are affected.",
"id": "2013-027",
"title": "Glance image_download policy not enforced for cached images",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-October/000155.html"
},
"affects": [
{
"product": "glance",
"version": "TODO"
}
],
"bugs": [
"1235378"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Stuart McLaren"
}
],
"reviews": [
"50103",
"50860"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-4428",
"cvss": {
"base_score": "6.3",
"scoring_vector": "AV:N/AC:M/Au:S/C:C/I:N/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

43
OSSA-2013-028.json Normal file
View File

@ -0,0 +1,43 @@
{
"advisory": {
"date": "2013-10-30",
"description": "The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.",
"id": "2013-028",
"title": "Unintentional role granting with Keystone LDAP backend",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-October/000158.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1242855"
],
"notes": "",
"reporters": [
{
"company": "IBM",
"name": "The IBM OpenStack test team"
}
],
"reviews": [
"5310",
"53012",
"53154",
"53146"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-4477",
"cvss": {
"base_score": "4.9",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

55
OSSA-2013-029.json Normal file
View File

@ -0,0 +1,55 @@
{
"advisory": {
"date": "2013-10-31",
"description": "Bernhard M. Wiedemann from SUSE reported a vulnerability in Nova's control of the size of disk images. By using malicious compressed qcow2 disk images, an authenticated user may consume large amounts of disk space for each image, potentially resulting in a Denial of Service attack on Nova compute nodes (CVE-2013-4463). While fixing this issue, P\u00e1draig Brady from Red Hat additionally discovered that OSSA 2013-012 did not fully address CVE-2013-2096 in the non-default case where use_cow_images=False, and malicious qcow images are being transferred from Glance. In that specific case, an authenticated user could still consume large amounts of disk space for each instance using the malicious image, potentially also resulting in a Denial of Service attack on Nova compute nodes (CVE-2013-4469). The provided fixes address both issues.",
"id": "2013-029",
"title": "Potential Nova denial of service through compressed disk images",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-October/000159.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1206081"
],
"notes": "",
"reporters": [
{
"company": "SUSE",
"name": "Bernhard M. Wiedemann"
},
{
"company": "Red Hat",
"name": "P\u00e1draig Brady"
}
],
"reviews": [
"54765",
"54767",
"54768"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-4463",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "low"
},
{
"cve": "CVE-2013-4469",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "low"
}
]
}

46
OSSA-2013-030.json Normal file
View File

@ -0,0 +1,46 @@
{
"advisory": {
"date": "2013-11-14",
"description": "Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova's XenAPI hypervisor backend. When migrating or resizing an instance, including live migration, existing security groups may not be reapplied after the operation completes. This can lead to unintentional network exposure for virtual machines. Only setups using the XenAPI backend are affected.",
"id": "2013-030",
"title": "XenAPI security groups not kept through migrate or resize",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-November/000161.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1073306",
"1202266"
],
"notes": "",
"reporters": [
{
"company": "Rackspace",
"name": "Chris Behrens"
},
{
"company": "UNKNOWN",
"name": "Vangelis Tasoulas"
}
],
"reviews": [
"52987",
"52989"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-4497",
"cvss": {
"base_score": "3.6",
"scoring_vector": "AV:N/AC:H/Au:S/C:P/I:P/A:N"
},
"cwe": "TODO",
"impact": "low"
}
]
}

41
OSSA-2013-031.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2013-11-25",
"description": "Eric Brown from IBM reported an information leak in Ceilometer logs. The password for the DB2 or MongoDB backends was logged at INFO level in the ceilometer-api logs. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB backends are affected.",
"id": "2013-031",
"title": "Ceilometer DB2/MongoDB backend password leak",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-November/000164.html"
},
"affects": [
{
"product": "ceilometer",
"version": "TODO"
}
],
"bugs": [
"1244476"
],
"notes": "",
"reporters": [
{
"company": "IBM",
"name": "Eric Brown"
}
],
"reviews": [
"54553",
"56396"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-6384",
"cvss": {
"base_score": "2.1",
"scoring_vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"
},
"cwe": "TODO",
"impact": "low"
}
]
}

42
OSSA-2013-032.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-12-11",
"description": "Steven Hardy from Red Hat reported a vulnerability in Keystone trusts when used in conjunction with the ec2tokens API. By generating EC2 credentials using a trust-scoped token, a trustee may retrieve a token not scoped to the trust, therefore elevating privileges to all of the trustor's roles. Only Keystone setups enabling EC2-style authentication are affected.",
"id": "2013-032",
"title": "Keystone trust circumvention through EC2-style tokens",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-December/000168.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1242597"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Steven Hardy"
}
],
"reviews": [
"51973",
"61419",
"61425"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-6391",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

49
OSSA-2013-033.json Normal file
View File

@ -0,0 +1,49 @@
{
"advisory": {
"date": "2013-12-11",
"description": "Aaron Rosen from VMware reported a vulnerability in the metadata access from OpenStack Neutron to Nova. Because of a missing authorization check on port binding, by guessing an instance_id a tenant may retrieve another tenant's metadata resulting in information disclosure. Only OpenStack setups running neutron-metadata-agent are affected. ",
"id": "2013-033",
"title": "Metadata queries from Neutron to Nova are not restricted by tenant",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-December/000169.html"
},
"affects": [
{
"product": "neutron",
"version": "TODO"
},
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1235450"
],
"notes": "",
"reporters": [
{
"company": "VMware",
"name": "Aaron Rosen"
}
],
"reviews": [
"61439",
"61428",
"61442",
"61435",
"61443",
"61437"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-6419",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2013-034.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2013-12-11",
"description": "Steven Hardy from Red Hat reported a vulnerability in Heat's default API policy enforcement. By calling the CreateStack or UpdateStack methods, an in-instance user may be able to create or update a stack in violation of the default policy. Only setups using Heat's cloudformation-compatible API are affected.",
"id": "2013-034",
"title": "Heat CFN policy rules not all enforced",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-December/000170.html"
},
"affects": [
{
"product": "heat",
"version": "TODO"
}
],
"bugs": [
"1256049"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Steven Hardy"
}
],
"reviews": [
"61452",
"61454"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-6426",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2013-035.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2013-12-11",
"description": "Steven Hardy from Red Hat reported a vulnerability in the Heat ReST API. By changing the request path, an authenticated client may override their tenant scope resulting in privilege escalation. Only setups exposing the Heat orchestration ReST interface are affected.",
"id": "2013-035",
"title": "Heat ReST API doesn't respect tenant scoping",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-December/000172.html"
},
"affects": [
{
"product": "heat",
"version": "TODO"
}
],
"bugs": [
"1256983"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Steven Hardy"
}
],
"reviews": [
"61455",
"61456"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-6428",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2013-036.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-12-11",
"description": "Cisco PSIRT reported a vulnerability in the OpenStack Horizon dashboard. By embedding HTML tags in an Instance Name, a tenant may execute a script within an administrator's browser resulting in a cross-site scripting (XSS) attack. Only setups using the Horizon dashboard are affected.",
"id": "2013-036",
"title": "Insufficient sanitization of Instance Name in Horizon",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-December/000173.html"
},
"affects": [
{
"product": "horizon",
"version": "TODO"
}
],
"bugs": [
"1247675"
],
"notes": "",
"reporters": [
{
"company": "Cisco",
"name": "Cisco PSIRT"
}
],
"reviews": [
"55175",
"58465",
"58820"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-6858",
"cvss": {
"base_score": "4.3",
"scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2013-037.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-12-18",
"description": "Phil Day from HP reported a vulnerability in the libvirt driver handling of ephemeral disk backing files on Nova compute nodes. By repeatedly creating snapshots, changing the os_type to a new random value, and spawning new instances from the snapshot (and quickly deleting those instances), an authenticated user could generate lots of different ephemeral disk backing files and fill up compute node disks, potentially resulting in a Denial of Service against a Nova setup. Only Nova setups running the libvirt driver are affected.",
"id": "2013-037",
"title": "Nova compute DoS through ephemeral disk backing files",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2013-December/000179.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1253980"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Phil Day"
}
],
"reviews": [
"62910",
"62912",
"62913"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-6437",
"cvss": {
"base_score": "4",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2014-001.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-01-13",
"description": "Daniel Berrange from Red Hat reported that the directories used to temporarily store live snapshots on Nova compute nodes were writable to all local users. A local attacker with shell access on compute nodes could therefore read and modify the contents of live snapshots before those are uploaded to the image service.",
"id": "2014-001",
"title": "Nova live snapshots use an insecure local directory",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-January/000184.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1227027"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Daniel Berrange"
}
],
"reviews": [
"58852",
"60548",
"60550"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-7048",
"cvss": {
"base_score": "5.8",
"scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2014-002.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2013-01-16",
"description": "Samuel Merritt from SwiftStack reported a timing attack vulnerability in Swift TempURL middleware. By analyzing response times to arbitrary TempURL requests, an attacker may be able to guess valid secret URLs and get access to objects that were only intended to be publicly shared with specific recipients. In order to use this attack, the attacker needs to know the targeted object name, and the object account needs to have a TempURL key set. Only Swift setups enabling the TempURL middleware are affected.",
"id": "2014-002",
"title": "Swift TempURL timing attack",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-January/000185.html"
},
"affects": [
{
"product": "swift",
"version": "TODO"
}
],
"bugs": [
"1265665"
],
"notes": "",
"reporters": [
{
"company": "SwiftStack",
"name": "Samuel Merritt"
}
],
"reviews": [
"67185",
"67186",
"67187"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-0006",
"cvss": {
"base_score": "4.3",
"scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2014-003.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-01-23",
"description": "Loganathan Parthipan from Hewlett Packard reported a vulnerability in the Nova libvirt driver. By spawning a server with the same flavor as another user's migrated virtual machine, an authenticated user can potentially access that user's snapshot content resulting in information leakage. Only setups using KVM live block migration are affected.",
"id": "2014-003",
"title": "Live migration can leak root disk into ephemeral storage",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-January/000188.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1251590"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Loganathan Parthipan"
}
],
"reviews": [
"68658",
"68659",
"68660"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-7130",
"cvss": {
"base_score": "3.5",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2014-004.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2014-02-12",
"description": "Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the Swift store backend is logged at WARNING level as part of the URL when authentication to a store fails if image location is not disabled by policy or the store is a single-tenant configuration. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance Swift store backend. Only Glance setups using the Swift store backend are affected.",
"id": "2014-004",
"title": "Glance Swift store backend password leak",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-February/000194.html"
},
"affects": [
{
"product": "glance",
"version": "TODO"
}
],
"bugs": [
"1275062"
],
"notes": "",
"reporters": [
{
"company": "Rackspace",
"name": "Nikhil Komawar"
}
],
"reviews": [
"71419",
"72473"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-1948",
"cvss": {
"base_score": "3.3",
"scoring_vector": "AV:L/AC:M/Au:N/C:P/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

40
OSSA-2014-005.json Normal file
View File

@ -0,0 +1,40 @@
{
"advisory": {
"date": "2014-02-17",
"description": "Thomas Leaman from HP reported that the Python Swift client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Swift client's communication with the server, including any used credentials.",
"id": "2014-005",
"title": "Missing SSL certificate check in Python Swift client",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-February/000198.html"
},
"affects": [
{
"product": "python-swiftclient",
"version": "TODO"
}
],
"bugs": [
"1199783"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Thomas Leaman"
}
],
"reviews": [
"69187"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2013-6396",
"cvss": {
"base_score": "4.3",
"scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2014-006.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-03-04",
"description": "Morgan Fainberg from Metacloud reported a vulnerability in the Keystone memcache token backend. When a trustor issues a trust token with impersonation enabled, the token is only added to the trustor's token list and not to the trustee's token list. This results in the trust token not being invalidated by the trustee's token revocation (bulk revocation). This is most noticeable when the trustee user is disabled or the trustee changes a password. Only setups using the memcache backend for tokens in Keystone are affected.",
"id": "2014-006",
"title": "Trustee token revocation does not work with memcache backend",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-March/000204.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1260080"
],
"notes": "",
"reporters": [
{
"company": "Metacloud",
"name": "Morgan Fainberg"
}
],
"reviews": [
"60743",
"75521",
"75526"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-2237",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

40
OSSA-2014-007.json Normal file
View File

@ -0,0 +1,40 @@
{
"advisory": {
"date": "2014-03-27",
"description": "Kieran Spear from the University of Melbourne reported a vulnerability in Keystone auth_token middleware (shipped in python-keystoneclient). By doing repeated requests, with sufficient load on the target system, an authenticated user may in certain situations assume another authenticated user's complete identity and multi-tenant authorizations, potentially resulting in a privilege escalation. Note that it is related to a bad interaction between eventlet and python-memcached that should be avoided if the calling process already monkey-patches \"thread\" to use eventlet. Only keystone middleware setups using auth_token with memcache are vulnerable.",
"id": "2014-007",
"title": "Potential context confusion in Keystone middleware",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-March/000211.html"
},
"affects": [
{
"product": "python-keystoneclient",
"version": "TODO"
}
],
"bugs": [
"1282865"
],
"notes": "",
"reporters": [
{
"company": "University of Melbourne",
"name": "Kieran Spear"
}
],
"reviews": [
"81078"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-0105",
"cvss": {
"base_score": "4.3",
"scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "important"
}
]
}

41
OSSA-2014-008.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2014-03-27",
"description": "Aaron Rosen from VMWare reported a vulnerability where Neutron fails to perform proper authorization checks when creating ports. By choosing a device id of a router from a different tenant when creating a port, an authenticated user can access the network of other tenants. This affects deployments of Neutron using plugins relying on the l3-agent.",
"id": "2014-008",
"title": "Routers can be cross plugged by other tenants",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-March/000212.html"
},
"affects": [
{
"product": "neutron",
"version": "TODO"
}
],
"bugs": [
"1243327"
],
"notes": "",
"reporters": [
{
"company": "VMWare",
"name": "Aaron Rosen"
}
],
"reviews": [
"83391",
"83393"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-0056",
"cvss": {
"base_score": "4.1",
"scoring_vector": "AV:A/AC:L/Au:S/C:P/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2014-009.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-03-27",
"description": "Stanislaw Pitucha from Hewlett Packard reported a vulnerability in the Nova instance rescue mode. By overwriting the disk inside an instance with a malicious image and switching the instance to rescue mode, an authenticated user would be able to leak an arbitrary file from the compute host to the virtual instance. Note that the host file must be readable by the libvirt/kvm context to be exposed. Only setups using libvirt to spawn instance, and having \"use_cow_images = False\" in Nova configuration are affected.",
"id": "2014-009",
"title": "Nova host data leak to vm instance in rescue mode",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-March/000213.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1221190"
],
"notes": "Review 86353 not included in advisory.",
"reporters": [
{
"company": "HP",
"name": "Stanislaw Pitucha"
}
],
"reviews": [
"82841",
"82840",
"86353"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-0134",
"cvss": {
"base_score": "3.5",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2014-010.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-04-08",
"description": "Cristian Fiorentino from Intel reported a vulnerability in Horizon Orchestration dashboard. By tricking a Horizon user into using a malicious template in the Orchestration/Stack section of Horizon, a remote attacker may trigger a cross-site-scripting vulnerability. It may result in potential assets theft (Horizon user/admin access credentials, tenants confidential information, etc.). Only setups exposing the orchestration dashboard in Horizon are affected. ",
"id": "2014-010",
"title": "XSS in Horizon orchestration dashboard",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-April/000218.html"
},
"affects": [
{
"product": "horizon",
"version": "TODO"
}
],
"bugs": [
"1289033"
],
"notes": "",
"reporters": [
{
"company": "Intel",
"name": "Cristian Fiorentino"
}
],
"reviews": [
"86059",
"86054",
"86056"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-0157",
"cvss": {
"base_score": "4.3",
"scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "low"
}
]
}

42
OSSA-2014-011.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-04-09",
"description": "Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API security group implementation. RBAC policies are not enforced when using the EC2 API, in particular the add_rules, remove_rules and destroy methods. A restricted user may overcome his limitation by using EC2 API resulting in unauthorized action on security groups. Only setups using non-default RBAC rules for Nova may be affected.",
"id": "2014-011",
"title": "RBAC policy not properly enforced in Nova EC2 API",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-April/000219.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1290537"
],
"notes": "",
"reporters": [
{
"company": "Ubisoft",
"name": "Marc Heckmann"
}
],
"reviews": [
"86358",
"86360",
"86361"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-0167",
"cvss": {
"base_score": "6.0",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2014-012.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-04-10",
"description": "Paul McMillan from Nebula reported a vulnerability in Glance Sheepdog backend. By using a specially crafted location, a user allowed to insert or modify Glance image metadata may trigger code execution on the Glance host as the user the Glance service runs under. This may result in Glance host unauthorized access and further compromise of the Glance service. All setups using Glance server with the (enabled by default) sheepdog backend are affected.",
"id": "2014-012",
"title": "Remote code execution in Glance Sheepdog backend",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-April/000220.html"
},
"affects": [
{
"product": "glance",
"version": "TODO"
}
],
"bugs": [
"1298698"
],
"notes": "",
"reporters": [
{
"company": "Nebula",
"name": "Paul McMillan"
}
],
"reviews": [
"86622",
"86625",
"86626"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-0162",
"cvss": {
"base_score": "6.5",
"scoring_vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"
},
"cwe": "TODO",
"impact": "important"
}
]
}

42
OSSA-2014-013.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-04-10",
"description": "Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3 API authentication. By sending a single request with the same authentication method multiple times, a remote attacker may generate unwanted load on the Keystone host, potentially resulting in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected.",
"id": "2014-013",
"title": "Keystone DoS through V3 API authentication chaining",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-April/000221.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1300274"
],
"notes": "",
"reporters": [
{
"company": "Ericsson",
"name": "Abu Shohel Ahmed"
}
],
"reviews": [
"84425",
"84735",
"86024"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-2828",
"cvss": {
"base_score": "5.0",
"scoring_vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

46
OSSA-2014-014.json Normal file
View File

@ -0,0 +1,46 @@
{
"advisory": {
"date": "2014-04-22",
"description": "Stephen Ma from Hewlett Packard and Christoph Thiel from Deutsche Telekom reported a vulnerability in Neutron security groups. By creating a security group rule with an invalid CIDR, an authenticated user may break openvswitch-agent process, preventing further rules from being applied on the host. Note: removal of the faulty rule is not enough, the openvswitch-agent must be restarted. All Neutron setups using Open vSwitch are affected.",
"id": "2014-014",
"title": "Neutron security groups bypass through invalid CIDR",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-April/000227.html"
},
"affects": [
{
"product": "neutron",
"version": "TODO"
}
],
"bugs": [
"1300785"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Stephen Ma"
},
{
"company": "Deutsche Telekom",
"name": "Christoph Thiel"
}
],
"reviews": [
"59212",
"88674",
"88057"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-0187",
"cvss": {
"base_score": "4",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

43
OSSA-2014-015.json Normal file
View File

@ -0,0 +1,43 @@
{
"advisory": {
"date": "2014-05-21",
"description": "Michael Stancampiano from IBM reported a vulnerability in Keystone. Someone with write access to the user and group repository (such as the LDAP directory server) may willingly or unwillingly grant additional rights by picking the same IDs for users and groups, resulting in roles assigned to a group being assigned to the affected user even if he is not a member of this group. Only Keystone setups using LDAP for the Identity driver are affected.",
"id": "2014-015",
"title": "Keystone user and group id mismatch",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-May/000231.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1309228"
],
"notes": "",
"reporters": [
{
"company": "IBM",
"name": "Michael Stancampiano"
}
],
"reviews": [
"94396",
"94470",
"94397",
"95263"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-0204",
"cvss": {
"base_score": "2.7",
"scoring_vector": "AV:A/AC:L/Au:S/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2014-016.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-05-23",
"description": "Jason Dunsmore from Rackspace reported a vulnerability in Heat. An authenticated user may temporarily see the URL of a provider template used in another tenant by listing heat resources types. This may result in disclosure of additional information if the template itself can be accessed. The URL disappears from the listing after a certain point in the stack creation. All Heat setups are affected.",
"id": "2014-016",
"title": "Heat template URL information leakage",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-May/000232.html"
},
"affects": [
{
"product": "heat",
"version": "TODO"
}
],
"bugs": [
"1311223"
],
"notes": "",
"reporters": [
{
"company": "Rackspace",
"name": "Jason Dunsmore"
}
],
"reviews": [
"89695",
"94625",
"94644"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-3801",
"cvss": {
"base_score": "4",
"scoring_vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

45
OSSA-2014-017.json Normal file
View File

@ -0,0 +1,45 @@
{
"advisory": {
"date": "2014-05-29",
"description": "Jaroslav Henner from Red Hat reported a vulnerability in Nova. By requesting Nova place an image into rescue, then deleting the image, an authenticated user my exceed their quota. This can result in a denial of service via excessive resource consumption. Only setups using the Nova VMWare driver are affected.",
"id": "2014-017",
"title": "Nova VMWare driver leaks rescued images",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-May/000235.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1269418"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Jaroslav Henner"
}
],
"reviews": [
"75788",
"80284",
"88514",
"89217",
"89762",
"89768"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-2573",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2014-018.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-06-12",
"description": "Steven Hardy from Red Hat reported a vulnerability in Keystone chained delegation. By creating a delegation from a trust or OAuth token, a trustee may abuse the identity impersonation against keystone and circumvent the enforced scope, resulting in potential elevated privileges to any of the trustor's projects and or roles. All Keystone deployments configured to enable trusts are affected, which has been the default since Grizzly.",
"id": "2014-018",
"title": "Keystone privilege escalation through trust chained delegation",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-June/000240.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1324592"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Steven Hardy"
}
],
"reviews": [
"99687",
"99700",
"99703"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-3476",
"cvss": {
"base_score": "4.9",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"
},
"cwe": "TODO",
"impact": "important"
}
]
}

42
OSSA-2014-019.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-06-18",
"description": "Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 addresses from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected.",
"id": "2014-019",
"title": "Neutron L3-agent DoS through IPv6 subnet",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-June/000242.html"
},
"affects": [
{
"product": "neutron",
"version": "TODO"
}
],
"bugs": [
"1309195"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Thiago Martins"
}
],
"reviews": [
"88584",
"95938",
"95939"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-4167",
"cvss": {
"base_score": "4.0",
"scoring_vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

41
OSSA-2014-020.json Normal file
View File

@ -0,0 +1,41 @@
{
"advisory": {
"date": "2014-06-19",
"description": "Globo.com Security Team reported a vulnerability in Swift's header value escaping. By tricking a Swift user into clicking a malicious URL, a remote attacker may inject data in Swift response while still appearing to come from the Swift server, potentially leading to other client-side vulnerabilities. All Swift setups are affected. ",
"id": "2014-020",
"title": "XSS in Swift requests through WWW-Authenticate header",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-June/000243.html"
},
"affects": [
{
"product": "swift",
"version": "TODO"
}
],
"bugs": [
"1327414"
],
"notes": "",
"reporters": [
{
"company": "Globo.com",
"name": "Globo.com Security Team"
}
],
"reviews": [
"101031",
"101032"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-3497",
"cvss": {
"base_score": "4.3",
"scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

51
OSSA-2014-021.json Normal file
View File

@ -0,0 +1,51 @@
{
"advisory": {
"date": "2014-06-25",
"description": "Zhi Kun Liu from IBM reported a vulnerability in the notifier middleware available in the PyCADF library and formerly copied into Neutron and Ceilometer code. An attacker with read access to the message queue may obtain authentication tokens used in REST requests (X_AUTH_TOKEN) that goes through the notifier middleware. All services using the notifier middleware configured after the auth_token middleware pipeline are impacted.",
"id": "2014-021",
"title": "User token leak to message queue in pyCADF notifier middleware",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-June/000245.html"
},
"affects": [
{
"product": "neutron",
"version": "TODO"
},
{
"product": "ceilometer",
"version": "TODO"
}
],
"bugs": [
"1321080"
],
"notes": "PyCADF library is also mentioned in this advisory, but is not officially security supported by OpenStack VMT",
"reporters": [
{
"company": "IBM",
"name": "Zhi Kun Liu"
}
],
"reviews": [
"94666",
"94770",
"94891",
"94878",
"101097",
"96944",
"101799",
"100414"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-4615",
"cvss": {
"base_score": "5.0",
"scoring_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "important"
}
]
}

42
OSSA-2014-022.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-07-02",
"description": "Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts. By using an out of scope project id, a trustee may gain unauthorized access if the trustor has the required roles in the requested project id. All Keystone deployments configured to enable trusts and V2 API are affected.",
"id": "2014-022",
"title": "Keystone V2 trusts privilege escalation through user supplied",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-July/000248.html"
},
"affects": [
{
"product": "keystone",
"version": "TODO"
}
],
"bugs": [
"1331912"
],
"notes": "",
"reporters": [
{
"company": "Red Hat",
"name": "Jamie Lennox"
}
],
"reviews": [
"104216",
"104217",
"104218"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-3520",
"cvss": {
"base_score": "3.5",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "important"
}
]
}

70
OSSA-2014-023.json Normal file
View File

@ -0,0 +1,70 @@
{
"advisory": {
"date": "2014-07-08",
"description": "Jason Hullinger from Hewlett Packard, Craig Lorentzen from Cisco and Michael Xin from Rackspace reported 3 cross-site scripting (XSS) vulnerabilities in Horizon. A malicious Orchestration template owner or catalog may conduct an XSS attack once a corrupted template is used in the Orchestration/Stack section of Horizon. A malicious Horizon user may store an XSS attack by creating a network with a corrupted name. A malicious Horizon administrator may store an XSS attack by creating a user with a corrupted email address. Once executed in a legitimate context these attacks may result in potential asset stealing (horizon user/admin access credentials, VMs/Network configuration/management, tenants' confidential information, etc.). All Horizon setups are affected.",
"id": "2014-023",
"title": "Multiple XSS vulnerabilities in Horizon",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-July/000251.html"
},
"affects": [
{
"product": "horizon",
"version": "TODO"
}
],
"bugs": [
"1308727",
"1320235",
"1322197"
],
"notes": "",
"reporters": [
{
"company": "HP",
"name": "Jason Hullinger"
},
{
"company": "Cisco",
"name": "Craig Lorentzen"
},
{
"company": "Rackspace",
"name": "Michael Xin"
}
],
"reviews": [
"105476",
"105477",
"105478"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-3473",
"cvss": {
"base_score": "4.3",
"scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
},
{
"cve": "CVE-2014-3474",
"cvss": {
"base_score": "4.3",
"scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
},
{
"cve": "CVE-2014-3475",
"cvss": {
"base_score": "4.3",
"scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2014-024.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-07-17",
"description": "Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova. By analyzing response times to requests for instance metadata, an attacker may be able to guess a valid instance ID signature. This could allow access to important configuration details of another instance. Only setups configured to proxy metadata requests via Neutron are affected.",
"id": "2014-024",
"title": "Use of non-constant time comparison operation",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-July/000253.html"
},
"affects": [
{
"product": "nova",
"version": "TODO"
}
],
"bugs": [
"1325128"
],
"notes": "",
"reporters": [
{
"company": "Rackspace",
"name": "Alex Gaynor"
}
],
"reviews": [
"107396",
"107397",
"107398"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-3517",
"cvss": {
"base_score": "4.3",
"scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

42
OSSA-2014-025.json Normal file
View File

@ -0,0 +1,42 @@
{
"advisory": {
"date": "2014-07-17",
"description": "Liping Mao from Cisco reported a denial of service vulnerability in Neutron's handling of allowed address pair. By creating a large number of allowed address pairs, an authenticated user may overwhelm neutron firewall rules and render compute nodes unusable. All Neutron setups are affected.",
"id": "2014-025",
"title": "Denial of Service in Neutron allowed address pair",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-July/000255.html"
},
"affects": [
{
"product": "neutron",
"version": "TODO"
}
],
"bugs": [
"1336207"
],
"notes": "",
"reporters": [
{
"company": "Cisco",
"name": "Liping Mao"
}
],
"reviews": [
"107734",
"107733",
"107731"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-3555",
"cvss": {
"base_score": "3.5",
"scoring_vector": "AV:N/AC:M/Au:S/C:N/I:N/A:P"
},
"cwe": "TODO",
"impact": "moderate"
}
]
}

2
README.md Normal file
View File

@ -0,0 +1,2 @@
Records of each security advisory issued by the OpenStack VMT
http://openstack-security.info

213
schema.py Normal file
View File

@ -0,0 +1,213 @@
import json
import jsonschema
import sys
# Based on https://wiki.openstack.org/wiki/Security_supported_projects
VMT_SECURITY_SUPPORTED = [
"nova",
"python-novaclient",
"swift",
"python-swiftclient",
"glance",
"python-glanceclient",
"keystone",
"python-keystoneclient",
"horizon",
"horizon_lib",
"django_openstack_auth",
"neutron",
"python-neutronclient",
"cinder",
"python-cinderclient",
"ceilometer",
"python-ceilometerclient",
"heat",
"python-heatclient",
"heat-cfntools",
"trove",
"python-troveclient",
"sahara",
"python-saharaclient",
"oslo.config",
"oslo.version"
]
# Based on https://access.redhat.com/security/updates/classification
VMT_IMPACT_DESCRIPTIONS = [ "critical", "important", "moderate", "low" ]
# (allow temporarily for CVE data missing this information)
VMT_IMPACT_DESCRIPTIONS.append("UNKNOWN")
# This is a jsonschema in attempt to ensure content added to the
# repository is in a sane & consistent format..
OSSA_SCHEMA_V1 = {
"title" : "OpenStack Advisory",
"type" : "object",
"properties": {
"schema_version" : {
"type" : "integer"
},
"vulnerabilities" : {
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"cve" : {
"type" : "string",
"pattern" : "^CVE-[0-9]+-[0-9]+$"
},
"cwe" : {
"type" : "string"
},
"cvss" : {
"type": "object",
"properties": {
"base_score" : {
"type" : "string"
},
"scoring_vector" : {
"type" : "string"
}
},
"required": ["base_score", "scoring_vector" ]
},
"impact" : {
"enum" : VMT_IMPACT_DESCRIPTIONS
},
},
"required" : [ "cve", "cwe", "cvss", "impact" ]
},
"minItems" : 1,
"uniqueItems" : True
},
"advisory" : {
"type" : "object",
"properties" : {
"id" : {
"type" : "string",
"pattern" : "^[0-9]+-[0-9]+$"
},
"date" :{
"type": "string",
"pattern" : "[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]"
},
"url" : {
"type" : "string"
},
"title" : {
"type" : "string"
},
"description" : {
"type" : "string"
}
},
"required" : ["id", "date", "url", "title", "description" ]
},
"reporters" : {
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"name" : {
"type" : "string",
},
"company" : {
"type" : "string"
}
},
"required" : ["name", "company"],
},
"minItems" : 1,
"uniqueItems" : True
},
"affects" : {
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"product" : {
"enum" : VMT_SECURITY_SUPPORTED
},
"version" : {
"type" : "string" # TODO define format for this
}
},
"required" : ["product", "version" ]
},
"minItems" : 1,
"uniqueItems" : True
},
"bugs" : {
"type" : "array",
"items" : {
"type" : "string",
"pattern" : "^[0-9]+$"
},
"minItems" : 1,
"uniqueItems" : True
},
"reviews" : {
"type" : "array",
"items" : {
"type" : "string",
"pattern" : "^[0-9]+$"
},
"minItems": 1,
"uniqueItems": True
},
"notes" : {
"type" : "string"
}
},
"required" : [
"schema_version",
"vulnerabilities",
"advisory",
"reporters",
"affects",
"bugs",
"reviews"
]
}
def get_schema(version):
if version == 1:
return OSSA_SCHEMA_V1
else:
raise ValueError("Schema version: '{}' is not supported.".format(version))
def validate(files):
for filename in files:
with open(filename) as data:
ossa = json.loads(data.read())
if 'schema_version' not in ossa:
print("error: <{}>: schema_version missing".format(filename))
continue
try:
jsonschema.validate(ossa, get_schema(int(ossa["schema_version"])))
print("{} - ok".format(filename))
except jsonschema.ValidationError as e:
print("{} - fail".format(filename))
print(e.message)
if __name__ == "__main__":
validate(sys.argv[1:])