Jeremy Stanley of the OpenStack Project reports:
Steven Hardy from Red Hat reported a vulnerability in Heat's default
API policy enforcement. By calling the CreateStack or UpdateStack
methods, an in-instance user may be able to create or update a stack
in violation of the default policy. Only setups using Heat's
cloudformation-compatible API are affected.
Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Steven Hardy of Red Hat as the original reporter.
Created attachment 833715 [details]
Created attachment 833717 [details]
This issue has been addressed in following products:
OpenStack 4 for RHEL 6
Via RHSA-2014:0090 https://rhn.redhat.com/errata/RHSA-2014-0090.html
Created openstack-heat tracking bugs for this issue:
Affects: fedora-19 [bug 1112428]