USN-2208-2: OpenStack Quantum vulnerability
6 May 2014
OpenStack Quantum could be made to expose sensitive information over the network.
- quantum - OpenStack Virtual Network Service
USN-2208-1 fixed vulnerabilities in OpenStack Cinder. This update provides
the corresponding updates for OpenStack Quantum.
Original advisory details:
JuanFra Rodriguez Cardoso discovered that OpenStack Cinder did not enforce
SSL connections when Nova was configured to use QPid and qpid_protocol is
set to 'ssl'. If a remote attacker were able to perform a machine-in-the-middle
attack, this flaw could be exploited to view sensitive information. Ubuntu
does not use QPid with Nova by default.
- USN-2247-1: nova-baremetal, nova-cert, nova-api-metadata, nova-compute-vmware, python-nova, nova-ajax-console-proxy, nova-conductor, nova-consoleauth, nova-spiceproxy, nova-api-os-compute, nova, nova-compute, nova-doc, nova-compute-libvirt, nova-objectstore, nova-compute-lxc, nova-api-os-volume, nova-api, nova-compute-xen, nova-volume, nova-cells, nova-xvpvncproxy, nova-api-ec2, nova-compute-qemu, nova-common, nova-compute-kvm, nova-console, nova-novncproxy, nova-network, nova-scheduler
- USN-2208-1: python-cinder, cinder