© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Title: Security groups fail to be set correctly
Impact: Medium
Reporter: HP Cloud Services <email address hidden>
Products: Nova
Affects: All versions
Description:
HP Cloud Services reported a vulnerability in Nova API handling. When a security group is created via the EC2 or OS API's that uses a protocol defined in the incorrect case i.e 'TCP' rather than 'tcp' it causes a later string comparison to fail. This leads to Security Groups not being set correctly. Once the Nova DB has been polluted with the incorrect case any subsequent modifications to the security group will also fail.
Proposed patch:
See attached diff. This proposed patch will be merged to Nova master and stable/diablo/essex branches on public disclosure date.
Database considerations:
The attached diff will make Nova resilient to any protocol case inconsistencies that may be in the Nova DB. Downstream stakeholders may want to consider sanitising their database by forcing all protocol entries to lower case, hardening their DB against any failures of future code that may expect the data to be lower case.
Proposed public disclosure date/time:
Suggestions ?
Please do not make the issue public (or release public patches) before this coordinated embargo date.
Regards,
--
$VMT_COORDINATO
OpenStack Vulnerability Management Team