MEDIUM

GHSA-67rh-9p29-vrxr

OpenStack Compute (Nova) allows remote attackers to bypass intended restriction

Details

OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / nova

Introduced in: 0 Fixed in: 2014.2.4

Fix pip install --upgrade 'nova>=2014.2.4'

PyPI / nova

Introduced in: 2015.1.0 Fixed in: 2015.1.2

Fix pip install --upgrade 'nova>=2015.1.2'

References

https://nvd.nist.gov/vuln/detail/CVE-2015-7713 [ADVISORY]
https://access.redhat.com/errata/RHSA-2015:2673 [WEB]
https://access.redhat.com/errata/RHSA-2015:2684 [WEB]
https://access.redhat.com/errata/RHSA-2016:0013 [WEB]
https://access.redhat.com/errata/RHSA-2016:0017 [WEB]
https://access.redhat.com/security/cve/CVE-2015-7713 [WEB]
https://bugs.launchpad.net/nova/+bug/1491307 [WEB]
https://bugs.launchpad.net/nova/+bug/1492961 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=1269119 [WEB]
https://opendev.org/openstack/nova [PACKAGE]
https://security.openstack.org/ossa/OSSA-2015-021.html [WEB]
https://web.archive.org/web/20200228024902/http://www.securityfocus.com/bid/76960 [WEB]
http://rhn.redhat.com/errata/RHSA-2015-2684.html [WEB]
http://www.securityfocus.com/bid/76960 [WEB]