CVE-2014-4615

Опубликовано: 20 мая 2014

Источник: redhat

CVSS2: 5

Описание

The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).

It was found that authentication tokens were not properly sanitized from the message queue by the notifier middleware. An attacker with read access to the message queue could possibly use this flaw to intercept an authentication token and gain elevated privileges. Note that all services using the notifier middleware configured after the auth_token middleware pipeline were affected.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)	openstack-ceilometer	Affected
Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)	openstack-neutron	Affected
Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)	python-pycadf	Affected
Red Hat OpenStack Platform 3	openstack-ceilometer	Not affected
Red Hat OpenStack Platform 3	openstack-quantum	Not affected
Red Hat OpenStack Platform 4	openstack-neutron	Not affected
OpenStack 4 for RHEL 6	openstack-ceilometer	Fixed	RHSA-2014:1050	13.08.2014