Comment 14 for bug 904072

Thierry Carrez (ttx) wrote :

OK, we'll start coordinating fix and disclosure starting January 3rd.

@Nachi: do you want credit to go to "Nachi Ueno, Rohit Karajgi and Ravi (add last name here)" or to some specific lab or entity ("Researchers at NTT DATA") or both ("Nachi Ueno, Rohit Karajgi and Ravi (add last name here) from NTT DATA") ?

@Jesse/Vish/Everyone, please confirm proposed impact statement:

"$CREDIT discovered a vulnerability in Nova API nodes handling of incoming requests. An authenticated user may craft malicious commands to affect resources on tenants he is not a member of, potentially leading to incorrect billing, quota escaping or compromise of computing resources created by a third-party. Only setups allowing the OpenStack API are affected."