I think we can reuse the existing CVE for this issue and issue an advisory. I've created the draft impact description below:
Title: oslo.vmware uses a version of the suds soap client with known vulnerabilities.
Reporter: Grant Murphy (Red Hat)
Products: oslo.vmware, Nova, Cinder
Versions: from 2013.2 to 2013.2.3, and 2014.1 versions up to 2014.1.1
Description:
Grant Murphy from Red Hat found that oslo.vmware uses a vulnerable dependency.
The suds soap client cache stores pickled objects at a predictable path in /tmp.
A local attacker could pre-emptively create poisoned cache entries to execute
arbitrary code via pickle deserialization. The oslo.vmware code can be found
in the Nova and Cinder projects.
I think we can reuse the existing CVE for this issue and issue an advisory. I've created the draft impact description below:
Title: oslo.vmware uses a version of the suds soap client with known vulnerabilities.
Reporter: Grant Murphy (Red Hat)
Products: oslo.vmware, Nova, Cinder
Versions: from 2013.2 to 2013.2.3, and 2014.1 versions up to 2014.1.1
Description:
Grant Murphy from Red Hat found that oslo.vmware uses a vulnerable dependency.
The suds soap client cache stores pickled objects at a predictable path in /tmp.
A local attacker could pre-emptively create poisoned cache entries to execute
arbitrary code via pickle deserialization. The oslo.vmware code can be found
in the Nova and Cinder projects.
References: cve.mitre. org/cgi- bin/cvename. cgi?name= CVE-2013- 2217
http://