settingsLogin | Registersettings

[openstack-announce] [OSSA 2016-013] Network information disclosure through Heat template source URL (CVE-2016-9185)

0 votes

==============================================================================
OSSA-2016-013: Network information disclosure through Heat template
source URL
==============================================================================

:Date: November 18, 2016
:CVE: CVE-2016-9185

Affects
~~~~~~~
- Heat: <=5.0.3, >=6.0.0 <=6.1.0 and ==7.0.0

Description
~~~~~~~~~~~
Tom Patzig from SAP reported a vulnerability in Heat. By launching a
new Heat stack with a local URL an authenticated user may conduct
network discovery revealing internal network configuration. All Heat
setup are affected.

Patches
~~~~~~~
- https://review.openstack.org/393149 (Liberty)
- https://review.openstack.org/393148 (Mitaka)
- https://review.openstack.org/393147 (Newton)
- https://review.openstack.org/393146 (Ocata)

Credits
~~~~~~~
- Tom Patzig from SAP (CVE-2015-9185)

References
~~~~~~~~~~
- https://launchpad.net/bugs/1606500
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9185

--
Tristan Cacqueray
OpenStack Vulnerability Management Team


OpenStack-announce mailing list
OpenStack-announce@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce

asked Nov 18, 2016 in openstack-announce by tdecacqu_at_redhat.c (2,120 points)   1 1 1
...