Ubuntu 11.10 / 12.04 LTS : nova regression (USN-1466-2)

Ubuntu Security Notice (C) 2012-2013 Canonical, Inc. / NASL script (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

USN 1466-1 fixed a vulnerability in Nova. The upstream patch
introduced a regression when a security group granted full access and
therefore the network protocol was left unset, causing an error in
processing. This update fixes the issue.

We apologize for the inconvenience.

It was discovered that, when defining security groups in Nova using
the EC2 or OS APIs, specifying the network protocol (e.g. 'TCP') in
the incorrect case would cause the security group to not be applied
correctly. An attacker could use this to bypass Nova security group
restrictions.

Solution :

Update the affected python-nova package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 59471 ()

Bugtraq ID: 53875

CVE ID: