CVE-2011-4076

Name of the Vulnerable Software and Affected Versions OpenStack Nova versions prior to 2012.1

Description The issue allows someone with access to an EC2 ACCESS KEY (equivalent to a username) to obtain the EC2 SECRET KEY (equivalent to a password). Exposing the EC2 ACCESS KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2 SECRET KEY. An attacker could also presumably brute force values for EC2 ACCESS KEY.

Recommendations For OpenStack Nova versions prior to 2012.1, update to version 2012.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the EC2 ACCESS KEY and EC2 SECRET KEY to minimize the risk of exploitation. Avoid using http for transmitting EC2 ACCESS KEY and consider using secure communication protocols to protect against man-in-the-middle attacks.