USN-2325-1: OpenStack Nova vulnerability
21 August 2014
OpenStack Nova could be made to expose sensitive information over the network.
- nova - OpenStack Compute cloud infrastructure
Alex Gaynor discovered that OpenStack Nova would sometimes respond with
variable times when comparing authentication tokens. If nova were
configured to proxy metadata requests via Neutron, a remote authenticated
attacker could exploit this to conduct timing attacks and ascertain
configuration details of another instance.