director: two vulnerabilities
| Package(s): | RHELOSP7 director | CVE #(s): | CVE-2015-5303 CVE-2015-5329 | ||||
| Created: | December 22, 2015 | Updated: | December 23, 2015 | ||||
| Description: | From the Red Hat advisory:
It was discovered that the director's NeutronMetadataProxySharedSecret parameter remained specified at the default value of 'unset'. This value is used by OpenStack Networking to sign instance headers; if unchanged, an attacker knowing the shared secret could use this flaw to spoof OpenStack Networking metadata requests. (CVE-2015-5303) A flaw was found in the director (openstack-tripleo-heat-templates) where the RabbitMQ credentials defaulted to guest/guest and supplied values in the configuration were not used. As a result, all deployed overclouds used the same credentials (guest/guest). A remote, non-authenticated attacker could use this flaw to access RabbitMQ services in the deployed cloud. (CVE-2015-5329) | ||||||
| Alerts: |
| ||||||