Products: Nova, Cinder (we don't support oslo.vmware iirc)
Versions: up to 2013.2.3, 2014.1 versions up to 2014.1.1 (grizzly at least looks affected too, see:
$ git show grizzly-2:tools/pip-requires | grep suds
suds==0.4
)
I would merge the two first sentences -> "oslo.vmware uses a vulnerable version of the suds soap client that cache stores pickled objects at a predictable path in /tmp."
"A local attacker" -> "A local attacker with shell access"
"The oslo.vmware code can be found in the Nova and Cinder projects." -> "All Nova and Cinder setups are affected."
@Grant, Small nits:
Products: Nova, Cinder (we don't support oslo.vmware iirc)
Versions: up to 2013.2.3, 2014.1 versions up to 2014.1.1 (grizzly at least looks affected too, see: 2:tools/ pip-requires | grep suds
$ git show grizzly-
suds==0.4
)
I would merge the two first sentences -> "oslo.vmware uses a vulnerable version of the suds soap client that cache stores pickled objects at a predictable path in /tmp."
"A local attacker" -> "A local attacker with shell access"
"The oslo.vmware code can be found in the Nova and Cinder projects." -> "All Nova and Cinder setups are affected."