The OpenStack project reports: "" Title: Use of non-constant time comparison operation Reporter: Alex Gaynor (Rackspace) Products: Nova Versions: Up to 2013.2.3, and 2014.1 to 2014.1.1 Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova. By analyzing response times to requests for instance metadata, an attacker may be able to guess a valid instance ID signature. This could allow access to important configuration details of another instance. Only setups configured to proxy metadata requests via Neutron are affected. "" Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Alex Gaynor from Rackspace as the original reporter.
Created openstack-nova tracking bugs for this issue: Affects: epel-6 [bug 1120951]
Created openstack-nova tracking bugs for this issue: Affects: fedora-19 [bug 1120953] Affects: fedora-20 [bug 1120954]
This issue has been addressed in following products: OpenStack 5 for RHEL 7 Via RHSA-2014:0940 https://rhn.redhat.com/errata/RHSA-2014-0940.html
IssueDescription: A side-channel timing attack flaw was found in Nova. An attacker could possibly use this flaw to guess valid instance ID signatures, giving them access to details of another instance, by analyzing the response times of requests for instance metadata. This issue only affected configurations that proxy metadata requests via Neutron.
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1084 https://rhn.redhat.com/errata/RHSA-2014-1084.html