CVE-2012-2654 - OpenCVE

The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openstack	Compute Diablo Essex

Configuration 1 [-]

OR	cpe:2.3:a:openstack:compute:2012.2:::::::*
	cpe:2.3:a:openstack:diablo:2011.3:::::::*
	cpe:2.3:a:openstack:essex:2012.1:::::::*

No data.

References

Link	Providers
http://secunia.com/advisories/46808
http://secunia.com/advisories/49439
http://www.ubuntu.com/usn/USN-1466-1
https://bugs.launchpad.net/nova/+bug/985184
https://exchange.xforce.ibmcloud.com/vulnerabilities/76110
https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978
https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654
https://lists.launchpad.net/openstack/msg12883.html
https://review.openstack.org/#/c/8239/

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2012-06-21T15:00:00

Updated: 2024-08-06T19:42:31.878Z

Reserved: 2012-05-14T00:00:00

Link: CVE-2012-2654

Vulnrichment

No data.

NVD

Status : Modified

Published: 2012-06-21T15:55:12.847

Modified: 2017-08-29T01:31:38.460

Link: CVE-2012-2654

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-06-06T00:00:00", "descriptions": [{"lang": "en", "value": "The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "46808", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/46808"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://review.openstack.org/#/c/8239/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/nova/+bug/985184"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654"}, {"name": "USN-1466-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1466-1"}, {"name": "[openstack] 20120606 [OSSA 2012-007] Security groups fail to be set correctly (CVE-2012-2654)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.launchpad.net/openstack/msg12883.html"}, {"name": "nova-security-group-sec-bypass(76110)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76110"}, {"name": "49439", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/49439"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T19:42:31.878Z"}, "title": "CVE Program Container", "references": [{"name": "46808", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/46808"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://review.openstack.org/#/c/8239/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/nova/+bug/985184"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654"}, {"name": "USN-1466-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-1466-1"}, {"name": "[openstack] 20120606 [OSSA 2012-007] Security groups fail to be set correctly (CVE-2012-2654)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.launchpad.net/openstack/msg12883.html"}, {"name": "nova-security-group-sec-bypass(76110)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76110"}, {"name": "49439", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/49439"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-2654", "datePublished": "2012-06-21T15:00:00", "dateReserved": "2012-05-14T00:00:00", "dateUpdated": "2024-08-06T19:42:31.878Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:compute:2012.2:*:*:*:*:*:*:*", "matchCriteriaId": "0E9D8029-F7DD-435D-B4F4-D3DABDB7333B", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:diablo:2011.3:*:*:*:*:*:*:*", "matchCriteriaId": "65FA489C-5FDC-4887-9F1F-66177F87DB5E", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:essex:2012.1:*:*:*:*:*:*:*", "matchCriteriaId": "E5FDB43F-B315-4F68-9D86-B644F2D4DF9A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions."}, {"lang": "es", "value": "Las APIs (1) EC2 y (2) OS en OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1) y Diablo (2011.3) no comprueban correctamente el protocolo cuando se crean grupos de seguridad y el protocolo de red no se ha especificado por completo en min\u00fasculas, lo que permite a atacantes remotos eludir restricciones de acceso."}], "id": "CVE-2012-2654", "lastModified": "2017-08-29T01:31:38.460", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-06-21T15:55:12.847", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/46808"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/49439"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-1466-1"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://bugs.launchpad.net/nova/+bug/985184"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76110"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Patch"], "url": "https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Patch"], "url": "https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654"}, {"source": "secalert@redhat.com", "url": "https://lists.launchpad.net/openstack/msg12883.html"}, {"source": "secalert@redhat.com", "url": "https://review.openstack.org/#/c/8239/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}