CVE-2013-6426

Published: 11 December 2013

The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance users to bypass intended access restrictions and (1) create a stack via the CreateStack method or (2) update a stack via the UpdateStack method.

Notes

Author	Note
mdeslaur	OSSA 2013-034

Priority

Status

Package	Release	Status
heat Launchpad, Ubuntu, Debian	lucid	Does not exist
	precise	Does not exist
	quantal	Does not exist
	raring	Does not exist
	saucy	Ignored (end of life)
	trusty	Does not exist (trusty was not-affected [2014.1~rc1-0ubuntu1])
	upstream	Released (2014.1.rc1)
	Patches: upstream: https://review.openstack.org/61454 (havana) upstream: https://review.openstack.org/61452 (icehouse)

References

Bugs

https://bugs.launchpad.net/heat/+bug/1256049

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›