Vulnerability Description
The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openstack | Compute | 2012.2 |
| Openstack | Diablo | 2011.3 |
| Openstack | Essex | 2012.1 |
Related Weaknesses (CWE)
References
- http://secunia.com/advisories/46808Vendor Advisory
- http://secunia.com/advisories/49439Vendor Advisory
- http://www.ubuntu.com/usn/USN-1466-1
- https://bugs.launchpad.net/nova/+bug/985184Patch
- https://exchange.xforce.ibmcloud.com/vulnerabilities/76110
- https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac297ExploitPatch
- https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e65ExploitPatch
- https://lists.launchpad.net/openstack/msg12883.html
- https://review.openstack.org/#/c/8239/
- http://secunia.com/advisories/46808Vendor Advisory
- http://secunia.com/advisories/49439Vendor Advisory
- http://www.ubuntu.com/usn/USN-1466-1
- https://bugs.launchpad.net/nova/+bug/985184Patch
- https://exchange.xforce.ibmcloud.com/vulnerabilities/76110
- https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac297ExploitPatch
FAQ
What is CVE-2012-2654?
CVE-2012-2654 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protoco...
How severe is CVE-2012-2654?
CVE-2012-2654 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-2654?
Check the references section above for vendor advisories and patch information. Affected products include: Openstack Compute, Openstack Diablo, Openstack Essex.