The OpenStack project reports: "" Title: Nova VMware driver may connect VNC to another tenant's console Reporter: Marcio Roberto Starke Products: Nova Versions: up to 2014.1.3 Description: Marcio Roberto Starke reported a vulnerability in the Nova VMware driver. A race condition in its VNC port allocation may cause it to connect the wrong console if instances are created concurrently. By repeatedly spawning new instances, an authenticated user may be able to gain unauthorized console access to instances belonging to other tenants. Only Nova setups using the VMware driver and the VNC proxy service are affected. "" CVE request: http://seclists.org/oss-sec/2014/q4/313 References: https://launchpad.net/bugs/1357372 https://review.openstack.org/#/c/126425/
Created openstack-nova tracking bugs for this issue: Affects: fedora-all [bug 1152347]
MITRE assigned CVE-2014-8750 to this issue: http://seclists.org/oss-sec/2014/q4/316
The fix for this has been merged into Icehouse stable here: https://review.openstack.org/#/c/126425/ It hasn't been merged into Havana. The bug's real and looks fairly easy to exploit, although it would be very difficult to pick a specific target to hijack. I'm going to assume you want a Havana backport. Do you also need an Icehouse backport, or will that be picked up automatically with the next stable merge?
IssueDescription: A race condition flaw was found in the way the nova VMware driver handled VNC port allocation. An authenticated user could use this flaw to gain unauthorized console access to instances belonging to other tenants by repeatedly spawning new instances. Note that only nova setups using the VMware driver and the VNC proxy service were affected.
This issue has been addressed in the following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1689 https://rhn.redhat.com/errata/RHSA-2014-1689.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1782 https://rhn.redhat.com/errata/RHSA-2014-1782.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1781 https://rhn.redhat.com/errata/RHSA-2014-1781.html