Bug 1272297 (CVE-2015-5303) - CVE-2015-5303 python-rdomanager-oscplugin: NeutronMetadataProxySharedSecret parameter uses default value
Summary: CVE-2015-5303 python-rdomanager-oscplugin: NeutronMetadataProxySharedSecret p...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5303
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1269786 1295289 1295291 1295337
Blocks: 1272303
TreeView+ depends on / blocked
 
Reported: 2015-10-16 02:40 UTC by Summer Long
Modified: 2023-05-12 14:32 UTC (History)
26 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-04-08 00:23:37 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1516027 0 None None None Never
Red Hat Product Errata RHSA-2015:2650 0 normal SHIPPED_LIVE Moderate: Red Hat Enterprise Linux OpenStack Platform 7 director update 2015-12-21 21:44:54 UTC

Description Summer Long 2015-10-16 02:40:41 UTC 
Steven Hardy reports: Currently we don't set the NeutronMetadataProxySharedSecret, (which according to the description in the neutron docs exists to prevent spoofing) - thus is remains at it's bad default value of "unset".

I assume this has the potential for security impact given that if it's predictable I guess spoofing metadata requests then becomes possible, but not being a Neutron expert I'm not sure of how serious an issue this may be.
Comment 1 Summer Long 2015-11-10 01:04:37 UTC 
Acknowledgements:

This issue was discovered by Steven Hardy of Red Hat.
Comment 2 Summer Long 2015-12-09 03:55:41 UTC 
Upstream: https://bugs.launchpad.net/tripleo/+bug/1516027
Comment 3 errata-xmlrpc 2015-12-21 16:51:51 UTC 
This issue has been addressed in the following products:

  OpenStack 7.0 Director/Manager for RHEL 7

Via RHSA-2015:2650 https://access.redhat.com/errata/RHSA-2015:2650
Note You need to log in before you can comment on or make changes to this bug.