[security] CVE-2013-5211 vulnerability on MOS controllers
Bug #1505235 reported by
Eugene Korekin
This bug affects 6 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Released
|
High
|
Stanislaw Bogatkin | ||
6.0.x |
Invalid
|
High
|
Denis Meltsaykin | ||
7.0.x |
Fix Released
|
High
|
Stanislaw Bogatkin |
Bug Description
MOS controllers are susceptible to CVE-2013-5211
http://
Default Ubuntu ntpd installations include these lines in /etc/ntp.conf:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
But /etc/ntp.conf on MOS controllers does not contain 'default' in first of these lines:
restrict -4 kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
and so is vulnerable.
This vulnerability is already exploited in some of our test installations in Czech datacenter.
I confirmed it on MOS 7.0 but other releases might contain the same bug.
CVE References
description: | updated |
Changed in mos: | |
assignee: | nobody → MOS Maintenance (mos-maintenance) |
information type: | Public → Private Security |
no longer affects: | mos/8.0.x |
Changed in mos: | |
importance: | Undecided → High |
status: | New → Confirmed |
tags: | added: 70mu1-confirmed |
tags: | removed: 70mu1-confirmed |
tags: | added: area-library |
tags: | added: on-verification |
affects: | mos → fuel |
Changed in fuel: | |
milestone: | 8.0 → none |
milestone: | none → 8.0 |
no longer affects: | ubuntu |
no longer affects: | mos/5.1.x |
no longer affects: | mos/6.0.x |
no longer affects: | mos/6.1.x |
no longer affects: | mos/7.0.x |
information type: | Private Security → Public Security |
tags: | added: 7.0-mu-2 |
tags: | added: on-verification |
To post a comment you must log in.
For 8.0 addressed by https:/ /review. openstack. org/#/c/ 235058