Bug 1344232 (CVE-2016-4972) - CVE-2016-4972 openstack-murano: RCE via usage of insecure YAML tags
Summary: CVE-2016-4972 openstack-murano: RCE via usage of insecure YAML tags
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-4972
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1349665 1349666
Blocks: 1344240
TreeView+ depends on / blocked
 
Reported: 2016-06-09 08:45 UTC by Andrej Nemec
Modified: 2021-02-17 03:44 UTC (History)
20 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-06-24 00:07:25 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2016-06-09 08:45:38 UTC 
Kirill Zaitsev from Mirantis reported a vulnerability in OpenStack Murano applications processing. Using extended YAML tags in Murano application YAML files, an attacker can perform Remote Code Execution.
Comment 1 Andrej Nemec 2016-06-09 08:45:48 UTC 
Acknowledgments:

Name: Kirill Zaitsev (Mirantis)
Comment 2 Summer Long 2016-06-23 23:17:29 UTC 
Upstream announcement: http://seclists.org/oss-sec/2016/q2/593
From: Kirill Zaitsev <k.zaitsev () me com>
Date: Thu, 23 Jun 2016 20:42:13 +0300
Comment 5 Summer Long 2016-06-23 23:37:15 UTC 
Statement:

Red Hat OpenStack Platform and Red Hat Enterprise Linux OpenStack Platform do not include or support openstack-murano, and are therefore not affected by this flaw in any supported configuration.
Note You need to log in before you can comment on or make changes to this bug.