Red Hat Bugzilla – Bug 1272297
CVE-2015-5303 python-rdomanager-oscplugin: NeutronMetadataProxySharedSecret parameter uses default value
Last modified: 2016-04-26 19:15:47 EDT
Steven Hardy reports: Currently we don't set the NeutronMetadataProxySharedSecret, (which according to the description in the neutron docs exists to prevent spoofing) - thus is remains at it's bad default value of "unset".
I assume this has the potential for security impact given that if it's predictable I guess spoofing metadata requests then becomes possible, but not being a Neutron expert I'm not sure of how serious an issue this may be.
This issue was discovered by Steven Hardy of Red Hat.
This issue has been addressed in the following products:
OpenStack 7.0 Director/Manager for RHEL 7
Via RHSA-2015:2650 https://access.redhat.com/errata/RHSA-2015:2650