[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: nova
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2011-10-25 20:27:56
Message-ID: 4EA71BCC.2040907 () redhat ! com
[Download RAW message or body]

On 10/25/2011 11:11 AM, Jamie Strandboge wrote:
> A flaw was discovered in OpenStack nova[1] which allows someone with
> access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the
> EC2_SECRET_KEY (equivalent to a password). While the EC2_ACCESS_KEY is
> typically not public, if the user exposes it via http or tools that
> allow MITM over https, then an attacker could obtain the EC2_SECRET_KEY
> easily. An attacker could also presumably brute force values for
> EC2_ACCESS_KEY.
>
> Fix:
> https://review.openstack.org/#change,794
>
> [1]https://launchpad.net/bugs/868360
>
Please use CVE-2011-4076 for this issue

-- 

-Kurt Seifried / Red Hat Security Response Team

[prev in list] [next in list] [prev in thread] [next in thread]