{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-07-17T00:00:00", "descriptions": [{"lang": "en", "value": "api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-08-07T08:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[oss-security] 20140717 [OSSA 2014-024] Use of non-constant time comparison operation  (CVE-2014-3517)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/07/17/2"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/nova/+bug/1325128"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:43:06.334Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20140717 [OSSA 2014-024] Use of non-constant time comparison operation  (CVE-2014-3517)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/07/17/2"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/nova/+bug/1325128"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3517", "datePublished": "2014-08-07T10:00:00", "dateReserved": "2014-05-14T00:00:00", "dateUpdated": "2024-08-06T10:43:06.334Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA51F598-3F53-4386-9953-8EAE0A6B41F0", "versionEndIncluding": "2013.2.4", "versionStartIncluding": "2013.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:nova:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D2AC947-3F65-408D-AC2D-A6FCA805EDF2", "versionEndExcluding": "2014.1.2", "versionStartIncluding": "2014.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:nova:2014.2.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "24D7E080-7538-44C9-AF6D-43240967F72E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests."}, {"lang": "es", "value": "api/metadata/handler.py en OpenStack Compute (Nova) anterior a 2013.2.4, 2014.x anterior a 2014.1.2 y Juno anterior a Juno-2, cuando redirige las solicitudes de metadatos a trav\u00e9s de Neutron, facilita a atacantes remotos adivinar las firmas de ID de instancia a trav\u00e9s de un ataque de fuerza bruta que se basa en las diferencias de tiempo en las respuestas a las solicitudes de metadatos de la instancia."}], "id": "CVE-2014-3517", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-08-07T11:13:34.967", "references": [{"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2014/07/17/2"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://bugs.launchpad.net/nova/+bug/1325128"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2014/07/17/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://bugs.launchpad.net/nova/+bug/1325128"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank OpenStack project for reporting this issue. Upstream acknowledges Alex Gaynor (Rackspace) as the original reporter.", "affected_release": [{"advisory": "RHSA-2014:1084", "cpe": "cpe:/a:redhat:openstack:4::el6", "package": "openstack-nova-0:2013.2.3-12.el6ost", "product_name": "OpenStack 4 for RHEL 6", "release_date": "2014-08-21T00:00:00Z"}, {"advisory": "RHSA-2014:0940", "cpe": "cpe:/a:redhat:openstack:5::el7", "package": "openstack-nova-0:2014.1.1-4.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7", "release_date": "2014-07-24T00:00:00Z"}], "bugzilla": {"description": "openstack-nova: timing attack issue allows access to other instances' configuration information", "id": "1112499", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112499"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-385", "details": ["api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests.", "A side-channel timing attack flaw was found in Nova. An attacker could possibly use this flaw to guess valid instance ID signatures, giving them access to details of another instance, by analyzing the response times of requests for instance metadata. This issue only affected configurations that proxy metadata requests via Neutron."], "name": "CVE-2014-3517", "package_state": [{"cpe": "cpe:/a:redhat:openstack:3", "fix_state": "Will not fix", "package_name": "openstack-nova", "product_name": "Red Hat OpenStack Platform 3"}], "public_date": "2014-07-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3517\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3517"], "threat_severity": "Moderate"}