Openstack · Openstack Compute · CVE-2014-0167
**Name of the Vulnerable Software and Affected Versions**
OpenStack Compute (Nova) versions 2013.1 through 2013.2.3
OpenStack Compute (Nova) icehouse before icehouse-rc2
**Description**
The issue concerns the Nova EC2 API security group implementation, which fails to enforce Role-Based Access Control (RBAC) policies for certain methods, including `add rules`, `remove rules`, and `destroy`, when non-default policies are used. This allows remote authenticated users to gain privileges via these API requests.
**Recommendations**
For OpenStack Compute (Nova) versions 2013.1 through 2013.2.3, update to version 2013.2.4 or later.
For OpenStack Compute (Nova) icehouse before icehouse-rc2, update to icehouse-rc2 or later.