OpenStack Security Advisory: 2014-024 CVE: CVE-2014-3517 Date: July 17, 2014 Title: Use of non-constant time comparison operation Reporter: Alex Gaynor (Rackspace) Products: Nova Versions: Up to 2013.2.3, and 2014.1 to 2014.1.1 Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova. By analyzing response times to requests for instance metadata, an attacker may be able to guess a valid instance ID signature. This could allow access to important configuration details of another instance. Only setups configured to proxy metadata requests via Neutron are affected. Juno (development branch) fix: https://review.openstack.org/107396 Icehouse https://review.openstack.org/107397 Havana https://review.openstack.org/107398 Notes: This fix will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3517 https://launchpad.net/bugs/1325128 -- Grant Murphy OpenStack Vulnerability Management Team