USN-2208-2: OpenStack Quantum vulnerability
6 May 2014
OpenStack Quantum could be made to expose sensitive information over the network.
- quantum - OpenStack Virtual Network Service
USN-2208-1 fixed vulnerabilities in OpenStack Cinder. This update provides
the corresponding updates for OpenStack Quantum.
Original advisory details:
JuanFra Rodriguez Cardoso discovered that OpenStack Cinder did not enforce
SSL connections when Nova was configured to use QPid and qpid_protocol is
set to 'ssl'. If a remote attacker were able to perform a machine-in-the-middle
attack, this flaw could be exploited to view sensitive information. Ubuntu
does not use QPid with Nova by default.
- USN-2247-1: nova-api-ec2, nova-volume, nova-ajax-console-proxy, python-nova, nova-scheduler, nova-api-os-compute, nova-doc, nova-network, nova-api, nova-baremetal, nova-compute-qemu, nova-console, nova-spiceproxy, nova, nova-common, nova-xvpvncproxy, nova-compute-lxc, nova-conductor, nova-compute-xen, nova-compute, nova-consoleauth, nova-cert, nova-api-os-volume, nova-cells, nova-compute-kvm, nova-compute-vmware, nova-novncproxy, nova-compute-libvirt, nova-api-metadata, nova-objectstore
- USN-2208-1: cinder, python-cinder