CVE-2015-0259

Published: 1 April 2015

OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

Priority

Status

Package	Release	Status
nova Launchpad, Ubuntu, Debian	lucid	Does not exist
	precise	Not vulnerable (code not present)
	trusty	Does not exist (trusty was not-affected [1:2014.1.5-0ubuntu1])
	upstream	Released (2014.1.3-11)
	utopic	Not vulnerable (1:2014.2.3-0ubuntu1)
	vivid	Not vulnerable (1:2015.1.0-0ubuntu1)

References

http://lists.openstack.org/pipermail/openstack-announce/2015-March/000341.html
https://www.cve.org/CVERecord?id=CVE-2015-0259
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/nova/+bug/1409142
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780250

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›