Bug 886373 (CVE-2014-3517) - VUL-0: CVE-2014-3517: openstack-nova: Use of non-constant time comparison operation
Summary: VUL-0: CVE-2014-3517: openstack-nova: Use of non-constant time comparison ope...
Status: RESOLVED FIXED
Alias: CVE-2014-3517
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-09 08:08 UTC by Victor Pereira
Modified: 2016-04-27 19:30 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-07-09 08:08:04 UTC 
CVE-2014-3517


Title: Use of non-constant time comparison operation
Reporter: Alex Gaynor (Rackspace)
Products: Nova
Versions: Up to 2013.2.3, and 2014.1 to 2014.1.1

Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova.
By analyzing response times to requests for instance metadata, an attacker
may be able to guess a valid instance ID signature. This could allow access
to important configuration details of another instance. Only setups
configured to proxy metadata requests via Neutron are affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/havana, stable/icehouse and master (Juno 
development branch) on the public disclosure date.
Comment 5 Swamp Workflow Management 2014-07-09 22:00:16 UTC 
bugbot adjusting priority
Comment 6 SMASH SMASH 2014-07-10 08:25:14 UTC 
Affected packages:

SLE-11-SP3: openstack-nova
SLE-11-SP3-PRODUCTS: openstack-nova
SLE-11-SP3-UPTU: openstack-nova
Comment 7 Marcus Meissner 2014-07-18 12:41:10 UTC 
public now, posted on oss-sec

OpenStack Security Advisory: 2014-024
CVE: CVE-2014-3517
Date: July 17, 2014
Title: Use of non-constant time comparison operation
Reporter: Alex Gaynor (Rackspace)
Products: Nova
Versions: Up to 2013.2.3, and 2014.1 to 2014.1.1

Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova.  
By analyzing response times to requests for instance metadata, an attacker 
may be able to guess a valid instance ID signature. This could allow access 
to important configuration details of another instance. Only setups 
configured to proxy metadata requests via Neutron are affected.

Juno (development branch) fix:
https://review.openstack.org/107396

Icehouse
https://review.openstack.org/107397

Havana
https://review.openstack.org/107398

Notes:
This fix will be included in the Juno-2 development milestone and in future 
2013.2.4 and 2014.1.2 releases

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3517
https://launchpad.net/bugs/1325128

-- 
Grant Murphy
OpenStack Vulnerability Management Team
Comment 8 Johannes Segitz 2015-03-11 13:54:34 UTC 
Fixed in current cloud versions