[OSSA 2014-024] nova metadata does not use a constant time compare for validating an HMAC token (CVE-2014-3517)
Bug #1325128 reported by
Alex Gaynor
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Grant Murphy | ||
Havana |
Fix Released
|
Undecided
|
Unassigned | ||
Icehouse |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Grant Murphy |
Bug Description
Here:
https:/
a constant time comparison should be used, more information on this type of attack here: http://
An example constant time comparison in Python can be found here: https:/
CVE References
Changed in ossa: | |
assignee: | nobody → Grant Murphy (gmurphy) |
summary: |
nova metadata does not use a constant time compare for validating an - HMAC token + HMAC token (CVE-2014-3517) |
Changed in ossa: | |
status: | Confirmed → In Progress |
Changed in nova: | |
importance: | Undecided → High |
Changed in ossa: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public |
Changed in nova: | |
assignee: | nobody → Grant Murphy (gmurphy) |
summary: |
- nova metadata does not use a constant time compare for validating an - HMAC token (CVE-2014-3517) + [OSSA 2014-024] nova metadata does not use a constant time compare for + validating an HMAC token (CVE-2014-3517) |
Changed in nova: | |
milestone: | none → juno-2 |
status: | Fix Committed → Fix Released |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | juno-2 → 2014.2 |
To post a comment you must log in.
Thank you for the report.
The OSSA task is incomplete pending additional details from security reviewers, nova-coresec are now subscribed to the bug.