CVE 2012-2654
The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.
Related bugs and status
CVE-2012-2654 (Candidate) is related to these bugs:
Bug #754900: [SRU] Nova-manage network delete does not delete from fixed_ips
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 754900 | [SRU] Nova-manage network delete does not delete from fixed_ips | OpenStack Compute (nova) | Medium | Fix Released | ||
| 754900 | [SRU] Nova-manage network delete does not delete from fixed_ips | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
| 754900 | [SRU] Nova-manage network delete does not delete from fixed_ips | nova (Ubuntu) | Undecided | Fix Released | ||
| 754900 | [SRU] Nova-manage network delete does not delete from fixed_ips | nova (Ubuntu Precise) | Undecided | Fix Released | ||
Bug #952176: [SRU] Cannot associate a second network/vlan to a tenant with "nova-manage network modify"
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 952176 | [SRU] Cannot associate a second network/vlan to a tenant with "nova-manage network modify" | OpenStack Compute (nova) | Medium | Fix Released | ||
| 952176 | [SRU] Cannot associate a second network/vlan to a tenant with "nova-manage network modify" | nova (Ubuntu) | Undecided | Fix Released | ||
| 952176 | [SRU] Cannot associate a second network/vlan to a tenant with "nova-manage network modify" | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 952176 | [SRU] Cannot associate a second network/vlan to a tenant with "nova-manage network modify" | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #962615: [SRU] Unable to list volumes after building from snapshot
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 962615 | [SRU] Unable to list volumes after building from snapshot | OpenStack Compute (nova) | High | Fix Released | ||
| 962615 | [SRU] Unable to list volumes after building from snapshot | OpenStack Compute (nova) essex | High | Fix Released | ||
| 962615 | [SRU] Unable to list volumes after building from snapshot | OpenStack Compute (nova) folsom | High | Fix Released | ||
| 962615 | [SRU] Unable to list volumes after building from snapshot | nova (Ubuntu) | Undecided | Fix Released | ||
| 962615 | [SRU] Unable to list volumes after building from snapshot | nova (Ubuntu Precise) | Undecided | Fix Released | ||
Bug #967931: [SRU] killfilter should handle updated/deleted executables
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 967931 | [SRU] killfilter should handle updated/deleted executables | OpenStack Compute (nova) | Medium | Fix Released | ||
| 967931 | [SRU] killfilter should handle updated/deleted executables | nova (Ubuntu) | Undecided | Fix Released | ||
| 967931 | [SRU] killfilter should handle updated/deleted executables | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 967931 | [SRU] killfilter should handle updated/deleted executables | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #968843: [SRU] connection leak in rpc connection pool
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 968843 | [SRU] connection leak in rpc connection pool | OpenStack Compute (nova) | High | Fix Released | ||
| 968843 | [SRU] connection leak in rpc connection pool | nova (Ubuntu) | Undecided | Fix Released | ||
| 968843 | [SRU] connection leak in rpc connection pool | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 968843 | [SRU] connection leak in rpc connection pool | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #971640: [SRU] public key injection should be configurable
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 971640 | [SRU] public key injection should be configurable | OpenStack Compute (nova) | Medium | Fix Released | ||
| 971640 | [SRU] public key injection should be configurable | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
| 971640 | [SRU] public key injection should be configurable | nova (Ubuntu) | Undecided | Fix Released | ||
| 971640 | [SRU] public key injection should be configurable | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 971640 | [SRU] public key injection should be configurable | nova (Ubuntu Quantal) | Undecided | Fix Released | ||
Bug #973194: [SRU] Parallel VM creation fails when nova-computes share the disks and each nova-compute node has no cached images.
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 973194 | [SRU] Parallel VM creation fails when nova-computes share the disks and each nova-compute node has no cached images. | OpenStack Compute (nova) | Medium | Fix Released | ||
| 973194 | [SRU] Parallel VM creation fails when nova-computes share the disks and each nova-compute node has no cached images. | nova (Ubuntu) | Undecided | Fix Released | ||
| 973194 | [SRU] Parallel VM creation fails when nova-computes share the disks and each nova-compute node has no cached images. | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 973194 | [SRU] Parallel VM creation fails when nova-computes share the disks and each nova-compute node has no cached images. | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #975043: [SRU] Cloudpipe VPN instance can loose connectivity after starting openvpn
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 975043 | [SRU] Cloudpipe VPN instance can loose connectivity after starting openvpn | OpenStack Compute (nova) | Low | Fix Released | ||
| 975043 | [SRU] Cloudpipe VPN instance can loose connectivity after starting openvpn | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
| 975043 | [SRU] Cloudpipe VPN instance can loose connectivity after starting openvpn | nova (Ubuntu) | Undecided | Fix Released | ||
| 975043 | [SRU] Cloudpipe VPN instance can loose connectivity after starting openvpn | nova (Ubuntu Precise) | Undecided | Fix Released | ||
Bug #977759: [SRU] With QuantumManager, nova-network does not start dnsmasq during initialization
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 977759 | [SRU] With QuantumManager, nova-network does not start dnsmasq during initialization | OpenStack Compute (nova) | Medium | Fix Released | ||
| 977759 | [SRU] With QuantumManager, nova-network does not start dnsmasq during initialization | nova (Ubuntu) | Undecided | Fix Released | ||
| 977759 | [SRU] With QuantumManager, nova-network does not start dnsmasq during initialization | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 977759 | [SRU] With QuantumManager, nova-network does not start dnsmasq during initialization | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #983206: [SRU] nova errors when keypair starts with 0XG using EC2 API
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 983206 | [SRU] nova errors when keypair starts with 0XG using EC2 API | OpenStack Compute (nova) | Low | Fix Released | ||
| 983206 | [SRU] nova errors when keypair starts with 0XG using EC2 API | nova (Ubuntu) | Undecided | Fix Released | ||
| 983206 | [SRU] nova errors when keypair starts with 0XG using EC2 API | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 983206 | [SRU] nova errors when keypair starts with 0XG using EC2 API | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #985184: Security groups fail to be set correctly if incorrect case is used for protocol specification
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 985184 | Security groups fail to be set correctly if incorrect case is used for protocol specification | OpenStack Compute (nova) | Medium | Fix Released | ||
| 985184 | Security groups fail to be set correctly if incorrect case is used for protocol specification | OpenStack Compute (nova) essex | Medium | Fix Released | ||
| 985184 | Security groups fail to be set correctly if incorrect case is used for protocol specification | nova (Ubuntu) | Undecided | Fix Released | ||
| 985184 | Security groups fail to be set correctly if incorrect case is used for protocol specification | nova (Ubuntu Precise) | Undecided | Fix Released | ||
Bug #987335: [SRU] libvit/connection.py missing console_log variable
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 987335 | [SRU] libvit/connection.py missing console_log variable | OpenStack Compute (nova) | Medium | Fix Released | ||
| 987335 | [SRU] libvit/connection.py missing console_log variable | nova (Ubuntu) | Undecided | Fix Released | ||
| 987335 | [SRU] libvit/connection.py missing console_log variable | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 987335 | [SRU] libvit/connection.py missing console_log variable | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #988615: [SRU] xen: destroy_vdi breaks because session is not passed in
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 988615 | [SRU] xen: destroy_vdi breaks because session is not passed in | OpenStack Compute (nova) | Medium | Fix Released | ||
| 988615 | [SRU] xen: destroy_vdi breaks because session is not passed in | OpenStack Compute (nova) essex | Medium | Fix Released | ||
| 988615 | [SRU] xen: destroy_vdi breaks because session is not passed in | nova (Ubuntu) | Undecided | Fix Released | ||
| 988615 | [SRU] xen: destroy_vdi breaks because session is not passed in | nova (Ubuntu Precise) | Undecided | Fix Released | ||
Bug #989764: [SRU] timeout on EC2 CreateImage action is 60 hours instead of 1 hour
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 989764 | [SRU] timeout on EC2 CreateImage action is 60 hours instead of 1 hour | OpenStack Compute (nova) | Low | Fix Released | ||
| 989764 | [SRU] timeout on EC2 CreateImage action is 60 hours instead of 1 hour | nova (Ubuntu) | Undecided | Fix Released | ||
| 989764 | [SRU] timeout on EC2 CreateImage action is 60 hours instead of 1 hour | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 989764 | [SRU] timeout on EC2 CreateImage action is 60 hours instead of 1 hour | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #990237: [sru] libvirt get_console_output: 'instance_name' is not defined
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 990237 | [sru] libvirt get_console_output: 'instance_name' is not defined | OpenStack Compute (nova) | Medium | Fix Released | ||
| 990237 | [sru] libvirt get_console_output: 'instance_name' is not defined | nova (Ubuntu) | Undecided | Fix Released | ||
| 990237 | [sru] libvirt get_console_output: 'instance_name' is not defined | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 990237 | [sru] libvirt get_console_output: 'instance_name' is not defined | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #992916: [SRU] nova.tests.test_nova_rootwrap fails on Fedora 17
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 992916 | [SRU] nova.tests.test_nova_rootwrap fails on Fedora 17 | OpenStack Compute (nova) | Medium | Fix Released | ||
| 992916 | [SRU] nova.tests.test_nova_rootwrap fails on Fedora 17 | nova (Ubuntu) | Undecided | Fix Released | ||
| 992916 | [SRU] nova.tests.test_nova_rootwrap fails on Fedora 17 | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 992916 | [SRU] nova.tests.test_nova_rootwrap fails on Fedora 17 | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #993663: [SRU] dns_domains table mysql charset is 'latin1'. Should be 'utf8'
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 993663 | [SRU] dns_domains table mysql charset is 'latin1'. Should be 'utf8' | OpenStack Compute (nova) | Medium | Fix Released | ||
| 993663 | [SRU] dns_domains table mysql charset is 'latin1'. Should be 'utf8' | nova (Ubuntu) | Undecided | Fix Released | ||
| 993663 | [SRU] dns_domains table mysql charset is 'latin1'. Should be 'utf8' | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 993663 | [SRU] dns_domains table mysql charset is 'latin1'. Should be 'utf8' | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #997014: [SRU] Memory is not correctly computed for Xen+libvirt
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 997014 | [SRU] Memory is not correctly computed for Xen+libvirt | OpenStack Compute (nova) | High | Fix Released | ||
| 997014 | [SRU] Memory is not correctly computed for Xen+libvirt | nova (Ubuntu) | Undecided | Fix Released | ||
| 997014 | [SRU] Memory is not correctly computed for Xen+libvirt | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 997014 | [SRU] Memory is not correctly computed for Xen+libvirt | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
| 997014 | [SRU] Memory is not correctly computed for Xen+libvirt | nova (CentOS) | Undecided | New | ||
Bug #1000261: newer `qemu-img info` causes in exception when finding the backing file for qcow2 images
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1000261 | newer `qemu-img info` causes in exception when finding the backing file for qcow2 images | OpenStack Compute (nova) | Medium | Fix Released | ||
| 1000261 | newer `qemu-img info` causes in exception when finding the backing file for qcow2 images | nova (Ubuntu) | Undecided | Fix Released | ||
| 1000261 | newer `qemu-img info` causes in exception when finding the backing file for qcow2 images | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #1000403: [SRU] multi scheduler does not handle capabilities updates correctly
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1000403 | [SRU] multi scheduler does not handle capabilities updates correctly | OpenStack Compute (nova) | Low | Fix Released | ||
| 1000403 | [SRU] multi scheduler does not handle capabilities updates correctly | nova (Ubuntu) | Undecided | Fix Released | ||
| 1000403 | [SRU] multi scheduler does not handle capabilities updates correctly | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 1000403 | [SRU] multi scheduler does not handle capabilities updates correctly | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
Bug #1010473: [SRU] Tracker for 12.04 Openstack Updates
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1010473 | [SRU] Tracker for 12.04 Openstack Updates | nova (Ubuntu) | High | Fix Released | ||
| 1010473 | [SRU] Tracker for 12.04 Openstack Updates | glance (Ubuntu) | High | Fix Released | ||
| 1010473 | [SRU] Tracker for 12.04 Openstack Updates | keystone (Ubuntu) | High | Fix Released | ||
Bug #1010514: Source group based security group rule without protocol and port causes failures
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1010514 | Source group based security group rule without protocol and port causes failures | OpenStack Compute (nova) | High | Fix Released | ||
| 1010514 | Source group based security group rule without protocol and port causes failures | OpenStack Compute (nova) essex | Undecided | Fix Released | ||
| 1010514 | Source group based security group rule without protocol and port causes failures | nova (Ubuntu) | Undecided | Fix Released | ||
| 1010514 | Source group based security group rule without protocol and port causes failures | nova (Ubuntu Oneiric) | Undecided | Fix Released | ||
| 1010514 | Source group based security group rule without protocol and port causes failures | nova (Ubuntu Precise) | Undecided | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
