[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: nova
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2011-10-25 20:27:56
Message-ID: 4EA71BCC.2040907 () redhat ! com
[Download RAW message or body]
On 10/25/2011 11:11 AM, Jamie Strandboge wrote:
> A flaw was discovered in OpenStack nova[1] which allows someone with
> access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the
> EC2_SECRET_KEY (equivalent to a password). While the EC2_ACCESS_KEY is
> typically not public, if the user exposes it via http or tools that
> allow MITM over https, then an attacker could obtain the EC2_SECRET_KEY
> easily. An attacker could also presumably brute force values for
> EC2_ACCESS_KEY.
>
> Fix:
> https://review.openstack.org/#change,794
>
> [1]https://launchpad.net/bugs/868360
>
Please use CVE-2011-4076 for this issue
--
-Kurt Seifried / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic