Launchpad.net

CVE 2011-4076

OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY.

Related bugs and status

CVE-2011-4076 (Candidate) is related to these bugs:

Bug #868360: Incorrect secret key causes user details to be revealed

		In	Importance	Status
868360	Incorrect secret key causes user details to be revealed	OpenStack Compute (nova)	Critical	Fix Released
868360	Incorrect secret key causes user details to be revealed	OpenStack Compute (nova) diablo	Undecided	Fix Released
868360	Incorrect secret key causes user details to be revealed	nova (Ubuntu)	Undecided	Fix Released
868360	Incorrect secret key causes user details to be revealed	nova (Ubuntu Maverick)	High	Fix Released
868360	Incorrect secret key causes user details to be revealed	nova (Ubuntu Natty)	High	Fix Released
868360	Incorrect secret key causes user details to be revealed	nova (Ubuntu Precise)	Undecided	Fix Released
868360	Incorrect secret key causes user details to be revealed	nova (Ubuntu Oneiric)	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2011-4076

Related bugs and status

Related bugs

References