The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Compute | Openstack | 2013.1 (including) | 2013.1 (including) |
| Compute | Openstack | 2013.1.1 (including) | 2013.1.1 (including) |
| Compute | Openstack | 2013.1.2 (including) | 2013.1.2 (including) |
| Compute | Openstack | 2013.1.3 (including) | 2013.1.3 (including) |
| Compute | Openstack | 2013.2 (including) | 2013.2 (including) |
| Compute | Openstack | 2013.2.1 (including) | 2013.2.1 (including) |
| Compute | Openstack | 2013.2.2 (including) | 2013.2.2 (including) |
| Compute | Openstack | 2013.2.3 (including) | 2013.2.3 (including) |
| Icehouse | Openstack | - (including) | - (including) |
| OpenStack 4 for RHEL 6 | RedHat | openstack-nova-0:2013.2.3-12.el6ost | * |
| Nova | Ubuntu | saucy | * |
| Nova | Ubuntu | upstream | * |