Title: RBAC policy not enforced in Nova EC2 API
Reporter: Marc Heckmann (Ubisoft)
Products: Nova
Versions: 2013.1 versions up to 2013.2.2
Description:
Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API security group implementation. RBAC policy are not enforced when using the EC2 API, in particular the add_rules, remove_rules and destroy methods. A restricted user may overcome his limitation by using EC2 API resulting in unauthorized action on security groups. Only setups using tighter access controls for Nova API are affected.
Impact description draft #1:
Title: RBAC policy not enforced in Nova EC2 API
Reporter: Marc Heckmann (Ubisoft)
Products: Nova
Versions: 2013.1 versions up to 2013.2.2
Description:
Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API security group implementation. RBAC policy are not enforced when using the EC2 API, in particular the add_rules, remove_rules and destroy methods. A restricted user may overcome his limitation by using EC2 API resulting in unauthorized action on security groups. Only setups using tighter access controls for Nova API are affected.