CVE-2014-3517

Published: 7 August 2014

api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests.

Notes

per upstream, Only setups configured to proxy metadata requests via
Neutron are affected

Status

References

• http://lists.openstack.org/pipermail/openstack-announce/2014-July/000253.html
• https://ubuntu.com/security/notices/USN-2325-1
• https://www.cve.org/CVERecord?id=CVE-2014-3517
• NVD
• Launchpad
• Debian

Bugs

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755042
• https://bugs.launchpad.net/nova/+bug/1325128
• https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1354159 (2014.1.2)