CVE-2012-2654

Description

The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.

How to fix CVE-2012-2654

To remediate CVE-2012-2654, upgrade the affected package to a fixed version below.

• Debian/nova—upgrade to 2012.1-6 or later
• PyPI/nova—upgrade to 12.0.0a0 or later
• —upgrade to 9f9e9da777161426a6f8cb4314b78e09beac2978 or later

Is CVE-2012-2654 being exploited?

Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 2012.1-6
• from 0, < 12.0.0a0
• from 0, < 9f9e9da777161426a6f8cb4314b78e09beac2978, < ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654 | from 0

References (15)

• ADVISORYsecunia.com/advisories/46808
• ADVISORYsecunia.com/advisories/49439
• ADVISORYgithub.com/advisories/GHSA-46r8-9cj7-pw6g
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-2654
• ADVISORYsecurity-tracker.debian.org