Bug 872116 - (CVE-2014-0167) VUL-0: CVE-2014-0167: openstack-nova: RBAC policy not properly enforced in Nova EC2 API
(CVE-2014-0167)
VUL-0: CVE-2014-0167: openstack-nova: RBAC policy not properly enforced in No...
Status: VERIFIED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Bernhard Wiedemann
Security Team bot
maint:released:sle11-sp3-uptu:57211
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-04 14:20 UTC by Alexander Bergmann
Modified: 2014-05-26 06:11 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-04-04 14:20:04 UTC
EMBARGOED via linux-distros:

CRD: 2014-04-09 15:00 UTC

Date: Fri, 04 Apr 2014 16:10:03 +0200
From: Tristan Cacqueray
Subject: [vs-plain] [pre-OSSA] Vulnerability in OpenStack Nova (CVE-2014-0167)

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: RBAC policy not properly enforced in Nova EC2 API
Reporter: Marc Heckmann (Ubisoft)
Products: Nova
Versions: 2013.1 versions up to 2013.2.3

Description:
Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API
security group implementation. RBAC policies are not enforced when using
the EC2 API, in particular the add_rules, remove_rules and destroy
methods. A restricted user may overcome his limitation by using EC2 API
resulting in unauthorized action on security groups. Only setups using
non-default RBAC rules for Nova may be affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/havana and master (Icehouse development branch)
on the public disclosure date.

CVE: CVE-2014-0167

Proposed public disclosure date/time:
2014-04-09 15:00 UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.

Regards,

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team
Comment 1 Alexander Bergmann 2014-04-04 14:21:03 UTC
Created attachment 585168 [details]
cve-2014-0167-master-icehouse.patch
Comment 2 Alexander Bergmann 2014-04-04 14:21:26 UTC
Created attachment 585169 [details]
cve-2014-0167-stable-havana.patch
Comment 3 Swamp Workflow Management 2014-04-04 22:00:21 UTC
bugbot adjusting priority
Comment 5 Swamp Workflow Management 2014-05-15 13:58:41 UTC
Update released for: crowbar, crowbar-barclamp-ceilometer, crowbar-barclamp-ceph, crowbar-barclamp-cinder, crowbar-barclamp-crowbar, crowbar-barclamp-crowbar-devel, crowbar-barclamp-database, crowbar-barclamp-deployer, crowbar-barclamp-dns, crowbar-barclamp-glance, crowbar-barclamp-heat, crowbar-barclamp-ipmi, crowbar-barclamp-keystone, crowbar-barclamp-logging, crowbar-barclamp-network, crowbar-barclamp-neutron, crowbar-barclamp-nfs_client, crowbar-barclamp-nova, crowbar-barclamp-nova_dashboard, crowbar-barclamp-ntp, crowbar-barclamp-pacemaker, crowbar-barclamp-provisioner, crowbar-barclamp-rabbitmq, crowbar-barclamp-suse-manager-client, crowbar-barclamp-swift, crowbar-barclamp-updater, crowbar-devel, haproxy, haproxy-debuginfo, haproxy-debugsource, mongodb, mongodb-devel, openstack-ceilometer, openstack-ceilometer-agent-central, openstack-ceilometer-agent-compute, openstack-ceilometer-alarm-evaluator, openstack-ceilometer-alarm-notifier, openstack-ceilometer-api, openstack-ceilometer-collector, openstack-ceilometer-doc, openstack-ceilometer-test, openstack-dashboard, openstack-dashboard-branding-upstream, openstack-dashboard-test, openstack-keystone, openstack-keystone-doc, openstack-keystone-test, openstack-neutron, openstack-neutron-dhcp-agent, openstack-neutron-doc, openstack-neutron-ha-tool, openstack-neutron-hyperv-agent, openstack-neutron-l3-agent, openstack-neutron-lbaas-agent, openstack-neutron-linuxbridge-agent, openstack-neutron-metadata-agent, openstack-neutron-metering-agent, openstack-neutron-mlnx-agent, openstack-neutron-nec-agent, openstack-neutron-openvswitch-agent, openstack-neutron-plugin-cisco, openstack-neutron-ryu-agent, openstack-neutron-server, openstack-neutron-test, openstack-neutron-vmware-agent, openstack-neutron-vpn-agent, openstack-nova, openstack-nova-api, openstack-nova-cells, openstack-nova-cert, openstack-nova-compute, openstack-nova-conductor, openstack-nova-console, openstack-nova-consoleauth, openstack-nova-doc, openstack-nova-network, openstack-nova-novncproxy, openstack-nova-objectstore, openstack-nova-scheduler, openstack-nova-test, openstack-nova-vncproxy, openstack-resource-agents, openstack-suse, openstack-suse-macros, openstack-suse-sudo, openstack-xen-plugins, patterns-cloud, python-amqp, python-ceilometer, python-heatclient, python-heatclient-doc, python-heatclient-test, python-horizon, python-horizon-branding-upstream, python-keystone, python-neutron, python-neutronclient, python-neutronclient-test, python-nova, python-psycopg2, python-psycopg2-debuginfo, python-psycopg2-debugsource, python-psycopg2-doc, rubygem-bson-1_9, rubygem-bson-1_9-doc, rubygem-mongo, rubygem-mongo-doc, rubygem-mongo-testsuite, susecloud-admin_en-pdf, susecloud-deployment_en-pdf, susecloud-manuals_en, susecloud-user_en-pdf, yast2-crowbar
Products:
SUSE-CLOUD 3.0 (x86_64)
Comment 6 Swamp Workflow Management 2014-05-15 17:08:48 UTC
SUSE-RU-2014:0656-1: An update that solves 5 vulnerabilities and has 15 fixes is now available.

Category: recommended (low)
Bug References: 840255,847189,861551,863719,865733,869078,869570,870175,870898,871199,871855,872116,872361,872700,872915,873127,874171,874611,874755,876326
CVE References: CVE-2014-0056,CVE-2014-0134,CVE-2014-0157,CVE-2014-0167,CVE-2014-2828
Sources used:
SUSE Cloud 3 (src):    crowbar-1.7+git.1393415366.c7d7ed2-0.9.1, crowbar-barclamp-ceilometer-1.7+git.1397725532.6562e99-0.11.1, crowbar-barclamp-ceph-1.7+git.1394531703.94bc662-0.7.4, crowbar-barclamp-cinder-1.7+git.1397563537.c0e3c1f-0.7.4, crowbar-barclamp-crowbar-1.7+git.1397546986.0138729-0.7.5, crowbar-barclamp-database-1.7+git.1398437917.4d9d949-0.7.4, crowbar-barclamp-deployer-1.7+git.1395841488.9bd9b18-0.7.4, crowbar-barclamp-dns-1.7+git.1395139533.d8065e0-0.7.4, crowbar-barclamp-glance-1.7+git.1397563542.7f7adbd-0.7.4, crowbar-barclamp-heat-1.7+git.1397563528.5365573-0.7.4, crowbar-barclamp-ipmi-1.7+git.1394447661.823417e-0.7.4, crowbar-barclamp-keystone-1.7+git.1397563548.5e1f6f4-0.7.4, crowbar-barclamp-logging-1.7+git.1394447795.1352678-0.7.4, crowbar-barclamp-network-1.7+git.1397462393.b75b4a2-0.7.4, crowbar-barclamp-neutron-1.7+git.1399280715.7a6d30c-0.7.1, crowbar-barclamp-nfs_client-1.7+git.1394448673.eec60d0-0.7.4, crowbar-barclamp-nova-1.7+git.1397563532.b0a2cf3-0.7.4, crowbar-barclamp-nova_dashboard-1.7+git.1397195786.72f875c-0.7.4, crowbar-barclamp-ntp-1.7+git.1394526594.bd0925a-0.7.4, crowbar-barclamp-pacemaker-1.7+git.1399292086.c9d262e-0.7.1, crowbar-barclamp-provisioner-1.7+git.1398437839.2078a3c-0.7.1, crowbar-barclamp-rabbitmq-1.7+git.1398437927.2b9a534-0.7.4, crowbar-barclamp-suse-manager-client-1.7+git.1394449068.c91f840-0.7.4, crowbar-barclamp-swift-1.7+git.1398348658.e9aadc4-0.7.4, crowbar-barclamp-updater-1.7+git.1394449074.c15a84e-0.7.4, haproxy-1.4.24-0.9.2, mongodb-2.4.3-0.13.1, openstack-ceilometer-2013.2.4.dev3.gd7b0634-0.9.1, openstack-ceilometer-doc-2013.2.4.dev3.gd7b0634-0.9.1, openstack-dashboard-2013.2.3.dev1.g54ec015-0.7.3, openstack-keystone-2013.2.4.dev2.ge7c2987-0.7.3, openstack-keystone-doc-2013.2.4.dev2.ge7c2987-0.7.3, openstack-neutron-2013.2.3.dev38.g1b9ceaf-0.7.3, openstack-neutron-doc-2013.2.3.dev38.g1b9ceaf-0.7.3, openstack-nova-2013.2.4.dev10.g155262c-0.7.3, openstack-nova-doc-2013.2.4.dev10.g155262c-0.7.3, openstack-resource-agents-1.0+git.1392632006.9b9b934-0.7.2, openstack-suse-2013.2-0.11.2, patterns-cloud-20140224-0.21.2, python-amqp-1.2.0-0.9.1, python-heatclient-0.2.6-0.7.2, python-neutronclient-2.3.4-0.7.3, python-psycopg2-2.5.2-0.7.2, rubygem-bson-1_9-1.9.2-0.7.2, rubygem-mongo-1.9.2-0.7.2, susecloud-manuals_en-3.0-0.34.1, yast2-crowbar-2.17.35-0.7.2
Comment 7 Bernhard Wiedemann 2014-05-26 06:11:57 UTC
fix is released