date: 2014-04-09

id: OSSA-2014-011

title: 'RBAC policy not properly enforced in Nova EC2 API'

description: 'Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2
  API security group implementation. RBAC policies are not enforced when using the
  EC2 API, in particular the add_rules, remove_rules and destroy methods. A restricted
  user may overcome his limitation by using EC2 API resulting in unauthorized action
  on security groups. Only setups using non-default RBAC rules for Nova may be affected.'

reference: http://lists.openstack.org/pipermail/openstack-announce/2014-April/000219.html

affected-products:

  - product: nova
    version: from 2013.1 to 2013.2.3

vulnerabilities:

  - cve-id: CVE-2014-0167
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: moderate
      assessment:
        type: CVSS2
        score: 6.0
        detail: AV:N/AC:M/Au:S/C:P/I:P/A:P
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO

reporters:

  - name: 'Marc Heckmann'
    affiliation: Ubisoft
    reported:
      - CVE-2014-0167

issues:

  links:
    - https://launchpad.net/bugs/1290537

  type: launchpad

reviews:

  juno:
    - https://review.openstack.org/#/c/86358

  icehouse:
    - https://review.openstack.org/#/c/86360

  havana:
    - https://review.openstack.org/#/c/86361

  type: gerrit