CVE-2015-7713 — OpenStack Compute (Nova) allows remote attackers to bypass intended restriction

Description

OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made.

How to fix CVE-2015-7713

To remediate CVE-2015-7713, upgrade the affected package to a fixed version below.

Debian/nova—upgrade to 1:12.0.0-2 or later
PyPI/nova—upgrade to 2014.2.4 or later

Is CVE-2015-7713 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1:12.0.0-2
from 0, < 2014.2.4

References (15)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-7713
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-7713
PATCHopendev.org/openstack/nova
WEBrhn.redhat.com/errata/RHSA-2015-2684.html
WEBaccess.redhat.com