Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-2654

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2012-2654
Last Modified 24 Aug 2012 12:00:00
Published 21 Jun 2012 11:55:12
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2012-2654

Summary

The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.

Vulnerable Systems

Application

  • Openstack Compute 2012.2

  • Openstack Diablo 2011.3

  • Openstack Essex 2012.1


References

CONFIRM - https://review.openstack.org/#/c/8239/

MLIST - [openstack] 20120606 [OSSA 2012-007] Security groups fail to be set correctly (CVE-2012-2654)

CONFIRM - https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654

CONFIRM - https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978

CONFIRM - https://bugs.launchpad.net/nova/+bug/985184

XF - nova-security-group-sec-bypass(76110)

UBUNTU - USN-1466-1

SECUNIA - 49439

SECUNIA - 46808


Last Updated: 27 May 2016 10:56:33