CVE-2011-4076

Publication date 25 October 2011

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nova	11.10 oneiric	Fixed 2011.3-0ubuntu6.2
	11.04 natty	Fixed 2011.2-0ubuntu1.1
	10.10 maverick	Fixed 0.9.1~bzr331-0ubuntu2.1
	10.04 LTS lucid	Not in release
	8.04 LTS hardy	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
nova	Upstream: https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commit;h=beee11edbfdd82cd81bc9c0fd75912c167892c2b

Severity score breakdown

Parameter	Value
Base score	5.9 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Other references

https://www.cve.org/CVERecord?id=CVE-2011-4076