Upstream information

CVE-2013-2030 at MITRE

Description

keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.

SUSE information

CVSS v2 Scores
  National Vulnerability Database
Base Score 2.11
Vector AV:L/AC:L/Au:N/C:N/I:P/A:N
Access Vector Local
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None
SUSE Bugzilla entry: 819349 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE 12.3
  • openstack-nova >= 2012.2.4+git.1363297910.9561484-2.10.1
  • openstack-nova-api >= 2012.2.4+git.1363297910.9561484-2.10.1
  • openstack-nova-cert >= 2012.2.4+git.1363297910.9561484-2.10.1
  • openstack-nova-compute >= 2012.2.4+git.1363297910.9561484-2.10.1
  • openstack-nova-doc >= 2012.2.4+git.1363297910.9561484-2.10.4
  • openstack-nova-network >= 2012.2.4+git.1363297910.9561484-2.10.1
  • openstack-nova-novncproxy >= 2012.2.4+git.1363297910.9561484-2.10.1
  • openstack-nova-objectstore >= 2012.2.4+git.1363297910.9561484-2.10.1
  • openstack-nova-scheduler >= 2012.2.4+git.1363297910.9561484-2.10.1
  • openstack-nova-test >= 2012.2.4+git.1363297910.9561484-2.10.1
  • openstack-nova-vncproxy >= 2012.2.4+git.1363297910.9561484-2.10.1
  • openstack-nova-volume >= 2012.2.4+git.1363297910.9561484-2.10.1
  • python-greenlet >= 0.4.0-3.3.1
  • python-greenlet-debuginfo >= 0.4.0-3.3.1
  • python-greenlet-debugsource >= 0.4.0-3.3.1
  • python-greenlet-devel >= 0.4.0-3.3.1
  • python-nova >= 2012.2.4+git.1363297910.9561484-2.10.1
Patchnames:
openSUSE-2013-539