CVE-2012-5571 : EC2-style credentials invalidation issue
OpenStack Security Advisory: 2012-018 CVE: CVE-2012-5571 Date: November 28, 2012 Title: EC2-style credentials invalidation issue Reporter: Vijaya Erukala Products: Keystone Affects: All versions...
View ArticleCVE-2012-5625 : Information leak in libvirt LVM-backed instances
This is something of a repeat. As openstack has gotten caught before not cleaning out reusable memory locations. As has Amazon. But, it’s always annoying to see a vulnerability that has previously bit...
View ArticleCVE-2013-0208 : Boot from volume allows access to random volumes
OpenStack Security Advisory: 2013-001 CVE: CVE-2013-0208 Date: January 29, 2013 Title: Boot from volume allows access to random volumes Reporter: Phil Day (HP) Products: Nova Affects: Essex, Folsom...
View ArticleCVE-2013-0212 : Backend password leak in Glance error message
OpenStack Security Advisory: 2013-002 CVE: CVE-2013-0212 Date: January 29, 2013 Title: Backend password leak in Glance error message Reporter: Dan Prince (Red Hat) Products: Glance Affects: All...
View ArticleCVE-2013-0247 : Keystone denial of service through invalid token requests
OpenStack Security Advisory: 2013-003 CVE: CVE-2013-0247 Date: February 5, 2013 Title: Keystone denial of service through invalid token requests Reporter: Dan Prince (Red Hat) Products: Keystone...
View ArticleAuto Complete in Login Fields of Horizon
Description Basically the Horizon Authentication form has auto complete enabled by default. This is considered a security risk by most. A discussion popped up on the list suggesting a fix, and it was...
View ArticleCVE-2013-0282 : Keystone EC2-style authentication accepts disabled user/tenants
* Interesting to note this vulnerability was reported by the NSA. OpenStack Security Advisory: 2013-005 CVE: CVE-2013-0282 Date: February 19, 2013 Keystone EC2-style authentication accepts disabled...
View ArticleCVE-2013-1664, CVE-2013-1665 : Information leak and Denial of Service using...
OpenStack Security Advisory: 2013-004 CVE: CVE-2013-1664, CVE-2013-1665 Date: February 19, 2013 Title: Information leak and Denial of Service using XML entities Reporter: Jonathan Murray (NCC Group),...
View ArticleCVE-2013-0335 : VNC proxy can connect to the wrong VM
OpenStack Security Advisory: 2013-006 CVE: CVE-2013-0335 Date: February 26, 2013 Title: VNC proxy can connect to the wrong VM Reporter: Loganathan Parthipan (HP), Rohit Karajgi (NTT Data) Products:...
View ArticleHavana!
SecStack in Havana I am just back from Summit. Where I ran into a bunch of wonderful folks both new and old. OpenStack is getting awesome. The security front is about to get REALLY interesting. HP,...
View ArticleShmoocon Talk On-Line
This is my talk from Shmoocon in February. Sort of an intro to the structure of OpenStack ( at that time folsom ) with an eye towards providing auditors a map to find the the areas they want to test....
View ArticleOpenStack Security Guide ( OFFICIAL ) Released
This is a little behind the curve, but several OSSG members and developers met up in Atlanta Georgia to do a book sprint on writing up a security hardening guide for OpenStack. I’ve read through it...
View Article
More Pages to Explore .....