USN-2325-1: OpenStack Nova vulnerability
Publication date
21 August 2014
Overview
OpenStack Nova could be made to expose sensitive information over the network.
Releases
Packages
- nova - OpenStack Compute cloud infrastructure
Details
Alex Gaynor discovered that OpenStack Nova would sometimes respond with
variable times when comparing authentication tokens. If nova were
configured to proxy metadata requests via Neutron, a remote authenticated
attacker could exploit this to conduct timing attacks and ascertain
configuration details of another instance.
Alex Gaynor discovered that OpenStack Nova would sometimes respond with
variable times when comparing authentication tokens. If nova were
configured to proxy metadata requests via Neutron, a remote authenticated
attacker could exploit this to conduct timing attacks and ascertain
configuration details of another instance.
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 14.04 trusty | python-nova – 1:2014.1.2-0ubuntu1.1 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.