Bug 1344232 (CVE-2016-4972) - CVE-2016-4972 openstack-murano: RCE via usage of insecure YAML tags
Summary: CVE-2016-4972 openstack-murano: RCE via usage of insecure YAML tags
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-4972
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1349665 1349666
Blocks: 1344240
TreeView+ depends on / blocked
 
Reported: 2016-06-09 08:45 UTC by Andrej Nemec
Modified: 2019-09-29 13:50 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in openstack-murano processing. Using extended YAML tags in Murano-application YAML files, an attacker could perform remote code execution.
Clone Of:
Environment:
Last Closed: 2016-06-24 00:07:25 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2016-06-09 08:45:38 UTC
Kirill Zaitsev from Mirantis reported a vulnerability in OpenStack Murano applications processing. Using extended YAML tags in Murano application YAML files, an attacker can perform Remote Code Execution.

Comment 1 Andrej Nemec 2016-06-09 08:45:48 UTC
Acknowledgments:

Name: Kirill Zaitsev (Mirantis)

Comment 2 Summer Long 2016-06-23 23:17:29 UTC
Upstream announcement: http://seclists.org/oss-sec/2016/q2/593
From: Kirill Zaitsev <k.zaitsev () me com>
Date: Thu, 23 Jun 2016 20:42:13 +0300

Comment 5 Summer Long 2016-06-23 23:37:15 UTC
Statement:

Red Hat OpenStack Platform and Red Hat Enterprise Linux OpenStack Platform do not include or support openstack-murano, and are therefore not affected by this flaw in any supported configuration.


Note You need to log in before you can comment on or make changes to this bug.