CVE-2017-12440 – openstack-aodh: Aodh can be used to launder Keystone trusts
https://notcve.org/view.php?id=CVE-2017-12440
Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee. Aodh, tal y como viene en Openstack Ocata y Newton antes de change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 y antes de Pike-rc1, no verifica que las ID de confianza pertenecen al usuario cuando se crean acciones de alarma con el esquema "trust+http", lo que permite a los usuarios autenticados remotos con conocimiento sobre las ID de confianza en donde Aodh es la entidad de confianza obtener un token Keystone y realizar acciones autenticadas no especificadas añadiendo una acción de alarma con el esquema "trust+http" y proporcionando una ID de confianza en donde Aodh es la entidad de confianza. • http://www.debian.org/security/2017/dsa-3953 http://www.securityfocus.com/bid/100455 https://access.redhat.com/errata/RHSA-2017:3227 https://access.redhat.com/errata/RHSA-2018:0315 https://bugs.launchpad.net/ossn/+bug/1649333 https://review.openstack.org/#/c/493823 https://review.openstack.org/#/c/493824 https://review.openstack.org/#/c/493826 https://access.redhat.com/security/cve/CVE-2017-12440 https://bugzilla.redhat.com/show_bug.cgi?id=1478834 • CWE-306: Missing Authentication for Critical Function CWE-345: Insufficient Verification of Data Authenticity •
CVE-2015-3156
https://notcve.org/view.php?id=CVE-2015-3156
The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py, write_config function in trove/guestagent/datastore/experimental/redis/service.py, _write_mycnf function in trove/guestagent/datastore/mysql/service.py, InnoBackupEx::_run_prepare function in trove/guestagent/strategies/restore/mysql_impl.py, InnoBackupEx::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, MySQLDump::cmd in trove/guestagent/strategies/backup/mysql_impl.py, InnoBackupExIncremental::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, _get_actual_db_status function in trove/guestagent/datastore/experimental/cassandra/system.py and trove/guestagent/datastore/experimental/cassandra/service.py, and multiple class CbBackup methods in trove/guestagent/strategies/backup/experimental/couchbase_impl.py in Openstack DBaaS (aka Trove) as packaged in Openstack before 2015.1.0 (aka Kilo) allows local users to write to configuration files via a symlink attack on a temporary file. La función _write_config en trove/guestagent/datastore/experimental/mongodb/service.py, la función reset_configuration en trove/guestagent/datastore/experimental/postgresql/service/config.py, la función write_config en trove/guestagent/datastore/experimental/redis/service.py, la función _write_mycnf en trove/guestagent/datastore/mysql/service.py, la función InnoBackupEx::_run_prepare en trove/guestagent/strategies/restore/mysql_impl.py, la función InnoBackupEx::cmd en trove/guestagent/strategies/backup/mysql_impl.py, MySQLDump::cmd en trove/guestagent/strategies/backup/mysql_impl.py, la función InnoBackupExIncremental::cmd en trove/guestagent/strategies/backup/mysql_impl.py, la función _get_actual_db_status en trove/guestagent/datastore/experimental/cassandra/system.py y trove/guestagent/datastore/experimental/cassandra/service.py, y múltiples métodos de clase CbBackup en trove/guestagent/strategies/backup/experimental/couchbase_impl.py en Openstack DBaaS (también llamado Trove) tal y como está empaquetado en Openstack en versiones anteriores a la 2015.1.0 (también llamada Kilo) permite que usuarios locales escriban en archivos de configuración mediante un ataque symlink en un archivo temporal. • https://bugs.launchpad.net/trove/+bug/1398195 https://bugzilla.redhat.com/show_bug.cgi?id=1216073 https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/cassandra/service.py#L230 https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/mongodb/service.py#L176 https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/experimental/redis/service.py#L236 https://github.com/openstack/trove/blob/master/trove/guestagent/datastore/mysql • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2015-2687
https://notcve.org/view.php?id=CVE-2015-2687
OpenStack Compute (nova) Icehouse, Juno and Havana when live migration fails allows local users to access VM volumes that they would normally not have permissions for. OpenStack Compute (nova) Icehouse, Juno y Havana, cuando la migración en vivo fracasa, permiten que usuarios locales accedan a volúmenes de la máquina virtual a los que normalmente no habrían tenido permiso para hacerlo. • http://www.openwall.com/lists/oss-security/2015/03/24/10 http://www.openwall.com/lists/oss-security/2015/03/25/3 http://www.securityfocus.com/bid/77505 https://bugs.launchpad.net/nova/+bug/1419577 https://bugzilla.redhat.com/show_bug.cgi?id=1205313 https://review.openstack.org/#/c/338929 • CWE-284: Improper Access Control •
CVE-2017-7543 – openstack-neutron: iptables not active after update
https://notcve.org/view.php?id=CVE-2017-7543
A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources. Se ha descubierto una condición de carrera en openstack-neutron en versiones anteriores a la 7.2.0-12.1, 8.x anteriores a la 8.3.0-11.1, 9.x anteriores a la 9.3.1-2.1 y 10.x anteriores a la 10.0.2-1.1, cuando, siguiendo a una actualización overcloud menor, los grupos de seguridad neutron estaban deshabilitados. De manera específica, lo siguiente se ha reiniciado a 0: net.bridge.bridge-nf-call-ip6tables y net.bridge.bridge-nf-call-iptables. • http://www.securityfocus.com/bid/100237 https://access.redhat.com/errata/RHSA-2017:2447 https://access.redhat.com/errata/RHSA-2017:2448 https://access.redhat.com/errata/RHSA-2017:2449 https://access.redhat.com/errata/RHSA-2017:2450 https://access.redhat.com/errata/RHSA-2017:2451 https://access.redhat.com/errata/RHSA-2017:2452 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7543 https://access.redhat.com/security/cve/CVE-2017-7543 https://bugzilla.redhat.com/sh • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2017-1000366 – Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-1000366
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. Glibc contiene una vulnerabilidad que permite que los valores LD_LIBRARY_PATH especialmente creados para manipular la región heap/stack de la memoria, generando entonces un alias, lo que podría conllevar a la ejecución del código arbitrario. Tenga en cuenta que se han realizado cambios de refuerzo adicionales en glibc para evitar la manipulación del stack y heap de la memoria de almacenamiento dinámico, pero estos problemas no se pueden explotar directamente, por lo que no se les ha otorgado un CVE. • https://www.exploit-db.com/exploits/42276 https://www.exploit-db.com/exploits/42274 https://www.exploit-db.com/exploits/42275 http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html http://seclists.org/fulldisclosure/2019/Sep/7 http://www.debian.org/security/2017/dsa-3887 http://www.securityfocus.com/bid/99127 http://www.securitytracker.com/id/1038712 https://access.redhat.com/errata/RHSA-2017:1479 https://access.redhat.com/errata/ • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •