USN-2325-1: OpenStack Nova vulnerability

Ubuntu Security Notice USN-2325-1

21st August, 2014

nova vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

OpenStack Nova could be made to expose sensitive information over the network.

Software description

  • nova - OpenStack Compute cloud infrastructure

Details

Alex Gaynor discovered that OpenStack Nova would sometimes respond with
variable times when comparing authentication tokens. If nova were
configured to proxy metadata requests via Neutron, a remote authenticated
attacker could exploit this to conduct timing attacks and ascertain
configuration details of another instance.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
python-nova 1:2014.1.2-0ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3517