USN-2325-1: OpenStack Nova vulnerability
21 August 2014
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
OpenStack Nova could be made to expose sensitive information over the network.
- nova - OpenStack Compute cloud infrastructure
Alex Gaynor discovered that OpenStack Nova would sometimes respond with variable times when comparing authentication tokens. If nova were configured to proxy metadata requests via Neutron, a remote authenticated attacker could exploit this to conduct timing attacks and ascertain configuration details of another instance.
The problem can be corrected by updating your system to the following package versions:
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.