CVE-2015-7713
First published: Tue Oct 06 2015(Updated: )
OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack Nova | >=2014.2<2014.2.4 | |
| OpenStack Nova | >=2015.1.0<2015.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2015-2684.html
- http://www.securityfocus.com/bid/76960
- https://access.redhat.com/errata/RHSA-2015:2673
- https://bugs.launchpad.net/nova/+bug/1491307
- https://bugs.launchpad.net/nova/+bug/1492961
- https://security.openstack.org/ossa/OSSA-2015-021.html
- https://launchpad.net/bugs/1491307
- https://launchpad.net/bugs/1484738
- http://seclists.org/oss-sec/2015/q4/41
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1269122
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1269123
- https://review.openstack.org/222026
- https://review.openstack.org/222023
- https://review.openstack.org/222022
- https://rhn.redhat.com/errata/RHSA-2015-2684.html
- https://rhn.redhat.com/errata/RHSA-2016-0013.html
- https://rhn.redhat.com/errata/RHSA-2016-0017.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1269119
Frequently Asked Questions
What is the severity of CVE-2015-7713?
CVE-2015-7713 is classified as a medium severity vulnerability.
What does CVE-2015-7713 allow attackers to do?
CVE-2015-7713 allows remote attackers to bypass security group restrictions on OpenStack Nova.
How do I fix CVE-2015-7713?
To fix CVE-2015-7713, upgrade to OpenStack Nova version 2014.2.4 or 2015.1.2 or later.
Which versions of OpenStack Nova are affected by CVE-2015-7713?
CVE-2015-7713 affects OpenStack Nova versions before 2014.2.4 and 2015.1.x before 2015.1.2.
When was CVE-2015-7713 disclosed?
CVE-2015-7713 was disclosed in 2015.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-7713
- agent/references
- agent/severity
- agent/author
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- agent/source
- vendor/openstack
- canonical/openstack nova
- version/openstack nova/2014.2
- version/openstack nova/2015.1.0