Bug 825870 - (CVE-2012-2654) CVE-2012-2654 OpenStack Nova security groups fail to be set correctly
CVE-2012-2654 OpenStack Nova security groups fail to be set correctly
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 829439 829440 829441
  Show dependency treegraph
Reported: 2012-05-28 16:28 EDT by Kurt Seifried
Modified: 2015-07-31 02:51 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-09-12 14:20:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch for CVE-2012-2654 (1.75 KB, patch)
2012-05-28 16:30 EDT, Kurt Seifried
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2012-05-28 16:28:32 EDT
From linux distros robert.clark@hp.com

Title: Security groups fail to be set correctly

Impact: Medium

Reporter: HP Cloud Services hpcs.security@hp.com

Products: Nova

Affects: All versions

HP Cloud Services reported a vulnerability in Nova API handling. When a security group is created via the EC2 or OS API's that uses a protocol defined in the incorrect case i.e 'TCP' rather than 'tcp' it causes a later string comparison to fail. This leads to Security Groups not being set correctly. Once the Nova DB has been polluted with the incorrect case any subsequent modifications to the security group will also fail.

Proposed patch:
See attached diff. This proposed patch will be merged to Nova master and stable/diablo/essex branches on public disclosure date.

Database considerations:
The attached diff will make Nova resilient to any protocol case inconsistencies that may be in the Nova DB. Downstream stakeholders may want to consider sanitising their database by forcing all protocol entries to lower case, hardening their DB against any failures of future code that may expect the data to be lower case.

Proposed public disclosure date/time:
Wednesday 6th June 1000 UTC
Comment 1 Kurt Seifried 2012-05-28 16:30:36 EDT
Created attachment 587284 [details]
Patch for CVE-2012-2654
Comment 2 Kurt Seifried 2012-06-06 14:51:50 EDT
Created openstack-nova tracking bugs for this issue

Affects: fedora-16 [bug 829439]
Affects: fedora-17 [bug 829440]
Affects: epel-6 [bug 829441]

Note You need to log in before you can comment on or make changes to this bug.