CVE-2014-3517 — OpenStack Compute (Nova) Exposure of Sensitive Information to an Unauthorized Ac

Description

api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests.

How to fix CVE-2014-3517

To remediate CVE-2014-3517, upgrade the affected package to a fixed version below.

Debian/nova—upgrade to 2014.1.1-8 or later
—upgrade to 2013.2.4 or later

Is CVE-2014-3517 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2014.1.1-8
from 0, < 2013.2.4

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3517
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-3517
PATCHopendev.org/openstack/nova
WEBaccess.redhat.com/errata/RHSA-2014:0940
WEBaccess.redhat.com