[openstack-announce] [OSSA 2013-034] Heat CFN policy rules not all enforced (CVE-2013-6426)

Jeremy Stanley jeremy at openstack.org
Wed Dec 11 15:48:23 UTC 2013

OpenStack Security Advisory: 2013-034
CVE: CVE-2013-6426
Date: December 11, 2013
Title: Heat CFN policy rules not all enforced
Reporter: Steven Hardy (Red Hat)
Products: Heat
Affects: All supported releases

Steven Hardy from Red Hat reported a vulnerability in Heat's default
API policy enforcement. By calling the CreateStack or UpdateStack
methods, an in-instance user may be able to create or update a stack
in violation of the default policy. Only setups using Heat's
cloudformation-compatible API are affected.

Icehouse (development branch) fix:

Havana fix:

This fix will be included in the icehouse-2 development milestone
and in a future 2013.2.1 release.


Jeremy Stanley
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20131211/8043dc52/attachment.pgp>

More information about the OpenStack-announce mailing list