OpenStack Security Advisory: 2014-011 CVE: CVE-2014-0167 Date: April 09, 2014 Title: RBAC policy not properly enforced in Nova EC2 API Reporter: Marc Heckmann (Ubisoft) Products: Nova Versions: from 2013.1 to 2013.2.3 Description: Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API security group implementation. RBAC policies are not enforced when using the EC2 API, in particular the add_rules, remove_rules and destroy methods. A restricted user may overcome his limitation by using EC2 API resulting in unauthorized action on security groups. Only setups using non-default RBAC rules for Nova may be affected. Juno (development branch) fix: https://review.openstack.org/86358 Icehouse (milestone-proposed branch) fix: https://review.openstack.org/86360 Havana fix: https://review.openstack.org/86361 Notes: This fix will be included in the icehouse-rc2 development milestone and in a future 2013.2.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0167 https://launchpad.net/bugs/1290537 -- Tristan Cacqueray OpenStack Vulnerability Management Team