CVE-2012-2654 : The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (

The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.

Published 2012-06-21 15:55:13

Updated 2025-04-11 00:51:22

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2012-2654

Openstack » Compute » Version: 2012.2
cpe:2.3:a:openstack:compute:2012.2:*:*:*:*:*:*:*
Matching versions
Openstack » Essex » Version: 2012.1
cpe:2.3:a:openstack:essex:2012.1:*:*:*:*:*:*:*
Matching versions
Openstack » Diablo » Version: 2011.3
cpe:2.3:a:openstack:diablo:2011.3:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2012-2654

EPSS FAQ

2.15%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 83 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2012-2654

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2012-2654

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-2654

http://secunia.com/advisories/49439

Sign in
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/76110

OpenStack Compute Security Group security bypass CVE-2012-2654 Vulnerability Report
https://bugs.launchpad.net/nova/+bug/985184

Bug #985184 “Security groups fail to be set correctly if incorre...” : Bugs : OpenStack Compute (nova)
Patch
https://lists.launchpad.net/openstack/msg12883.html

[OSSA 2012-007] Security groups fail to be set correctly (CVE-2012-2654) : Mailing list archive : openstack team in Launchpad
http://secunia.com/advisories/46808

Sign in
Vendor Advisory
https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978

Fix up protocol case handling for security groups. · openstack/nova@9f9e9da · GitHub
Exploit;Patch
http://www.ubuntu.com/usn/USN-1466-1

USN-1466-1: Nova vulnerability | Ubuntu security notices
https://review.openstack.org/#/c/8239/

Change I36af1db2: Fix up protocol case handling for security groups. | review.opendev Code Review
https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654

Fix up protocol case handling for security groups. · openstack/nova@ff06c7c · GitHub
Exploit;Patch

Jump to

Vulnerability Details : CVE-2012-2654

Products affected by CVE-2012-2654

Exploit prediction scoring system (EPSS) score for CVE-2012-2654

CVSS scores for CVE-2012-2654

CWE ids for CVE-2012-2654

References for CVE-2012-2654