@Tristan - Thanks for the feedback. I think I was looking at cinder which tags which start at 2013.2. You're right though. Nova is affected from 2013.1. How's this one sound:
Title: oslo.vmware uses a version of the suds soap client with known vulnerabilities.
Reporter: Grant Murphy (Red Hat)
Products: Nova, Cinder
Versions: from 2013.1 to 2013.2.3, and 2014.1 versions up to 2014.1.1
Description:
Grant Murphy from Red Hat found that oslo.vmware uses a vulnerable version of the suds soap client that stores pickled objects at a predictable path in /tmp for caching purposes. A local attacker with shell access could pre-emptively create poisoned cache entries to execute arbitrary code when cached objects are deserialized. All Nova and Cinder setups are affected.
@Tristan - Thanks for the feedback. I think I was looking at cinder which tags which start at 2013.2. You're right though. Nova is affected from 2013.1. How's this one sound:
Title: oslo.vmware uses a version of the suds soap client with known vulnerabilities.
Reporter: Grant Murphy (Red Hat)
Products: Nova, Cinder
Versions: from 2013.1 to 2013.2.3, and 2014.1 versions up to 2014.1.1
Description:
Grant Murphy from Red Hat found that oslo.vmware uses a vulnerable version of the suds soap client that stores pickled objects at a predictable path in /tmp for caching purposes. A local attacker with shell access could pre-emptively create poisoned cache entries to execute arbitrary code when cached objects are deserialized. All Nova and Cinder setups are affected.
References: cve.mitre. org/cgi- bin/cvename. cgi?name= CVE-2013- 2217
http://