Difference between revisions of "Security Notes"
(→Published Security Notes) |
(→Published Security Notes) |
||
Line 2: | Line 2: | ||
=== Published Security Notes === | === Published Security Notes === | ||
+ | *[[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (PENDING REVIEW) | ||
*[[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014) | *[[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014) | ||
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014) | * [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014) |
Revision as of 17:19, 4 April 2014
The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.
Published Security Notes
- OSSN-0010 - Sample Keystone v3 policy exposes privilege escalation vulnerability (PENDING REVIEW)
- OSSN-0009 - Potential token revocation abuse via group membership (2 Apr 2014)
- OSSN-0008 - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
- OSSN-0007 - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
- OSSN-0006 - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
- OSSN-0005 - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
- OSSN-0004 - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
- OSSN-0003 - Keystone configuration should not be world readable (13 May 2013)
- OSSN-0002 - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
- OSSN-0001 - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)