Bug 1152346 (CVE-2014-8750)
| Summary: | CVE-2014-8750 openstack-nova: Nova VMware driver may connect VNC to another tenant's console | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abaron, akscram, alexander.sakhnov, aortega, apevec, apevec, ayoung, berrange, bfilippov, chrisw, dallan, dasmith, davidx, gkotton, gmollett, itamar, jonathansteffan, jose.castro.leon, jrusnack, lhh, lpeer, markmc, mbooth, mlvov, mmagr, mmcallis, ndipanov, pbrady, p, rbryant, rk, sbauza, sclewis, sferdjao, sgordon, vdanen, vladanovic, vromanso, yeylon |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A race condition flaw was found in the way the nova VMware driver handled VNC port allocation. An authenticated user could use this flaw to gain unauthorized console access to instances belonging to other tenants by repeatedly spawning new instances. Note that only nova setups using the VMware driver and the VNC proxy service were affected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-11-03 12:17:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1152347, 1152348, 1152353, 1152354, 1152355 | ||
| Bug Blocks: | 1150897, 1152349 | ||
|
Description
Murray McAllister
2014-10-14 01:16:36 UTC
Created openstack-nova tracking bugs for this issue: Affects: fedora-all [bug 1152347] MITRE assigned CVE-2014-8750 to this issue: http://seclists.org/oss-sec/2014/q4/316 The fix for this has been merged into Icehouse stable here: https://review.openstack.org/#/c/126425/ It hasn't been merged into Havana. The bug's real and looks fairly easy to exploit, although it would be very difficult to pick a specific target to hijack. I'm going to assume you want a Havana backport. Do you also need an Icehouse backport, or will that be picked up automatically with the next stable merge? IssueDescription: A race condition flaw was found in the way the nova VMware driver handled VNC port allocation. An authenticated user could use this flaw to gain unauthorized console access to instances belonging to other tenants by repeatedly spawning new instances. Note that only nova setups using the VMware driver and the VNC proxy service were affected. This issue has been addressed in the following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1689 https://rhn.redhat.com/errata/RHSA-2014-1689.html This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1782 https://rhn.redhat.com/errata/RHSA-2014-1782.html This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1781 https://rhn.redhat.com/errata/RHSA-2014-1781.html |