Ubuntu Security Notice 2247-1 - Darragh O'Reilly discovered that OpenStack Nova did not properly set up its sudo configuration. If a different flaw was found in OpenStack Nova, this vulnerability could be used to escalate privileges. This issue only affected Ubuntu 13.10 and Ubuntu 14.04 LTS. Bernhard M. Wiedemann and Pedraig Brady discovered that OpenStack Nova did not properly verify the virtual size of a QCOW2 images. A remote authenticated attacker could exploit this to create a denial of service via disk consumption. This issue did not affect Ubuntu 14.04 LTS. Various other issues were also addressed.
c061c326f8e2fd51cf3da4f0196f40f3e8ce883bba777d9e41fe4665ea5c141aUbuntu Security Notice 2208-2 - USN-2208-1 fixed vulnerabilities in OpenStack Cinder. This update provides the corresponding updates for OpenStack Quantum. JuanFra Rodriguez Cardoso discovered that OpenStack Cinder did not enforce SSL connections when Nova was configured to use QPid and qpid_protocol is set to 'ssl'. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. Ubuntu does not use QPid with Nova by default. Various other issues were also addressed.
d0d5156d5df85a3712f3a696f3471fd131bc63c5a190a82aa2f593f624ebb58dUbuntu Security Notice 2208-1 - JuanFra Rodriguez Cardoso discovered that OpenStack Cinder did not enforce SSL connections when Nova was configured to use QPid and qpid_protocol is set to 'ssl'. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. Ubuntu does not use QPid with Nova by default.
53acf4004418f2da4a2339679b5b8960dea74b9702a0c8eb99b88eef60eba10eRed Hat Security Advisory 2014-0112-01 - The openstack-nova packages provide OpenStack Compute, which provides services for provisioning, managing, and using virtual machine instances. It was discovered that enabling "qpid_protocol = ssl" in the nova.conf file did not result in nova using SSL to communicate to Qpid. If Qpid was not configured to enforce SSL this could lead to sensitive information being sent unencrypted over the communication channel. A flaw was found in the way OpenStack Compute controlled the size of disk images. An authenticated remote user could use malicious compressed qcow2 disk images to consume large amounts of disk space, potentially causing a denial of service on the OpenStack Compute nodes.
a9c329772cd7af8395cafb1ec06bc13482d54fac734c4e696e1724b928aaabec
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed