Vulnerabilities > CVE-2014-7960 - Resource Management Errors vulnerability in Openstack Swift

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

openstack

CWE-399

nessus

NVD

Published: 2014-10-17

Updated: 2017-09-08

Summary

OpenStack Object Storage (Swift) before 2.2.0 allows remote authenticated users to bypass the max_meta_count and other metadata constraints via multiple crafted requests which exceed the limit when combined.

Vulnerable Configurations

Part	Description	Count
Application	Openstack Openstack Swift - Openstack Swift 1.0.0 Openstack Swift 1.0.1 Openstack Swift 1.0.2 Openstack Swift 1.1.0 Openstack Swift 1.2.0 Openstack Swift 1.3.0 Openstack Swift 1.4.0 Openstack Swift 1.4.1 Openstack Swift 1.4.2 Openstack Swift 1.4.3 Openstack Swift 1.4.4 Openstack Swift 1.4.5 Openstack Swift 1.4.6 Openstack Swift 1.4.7 Openstack Swift 1.4.8 Openstack Swift 1.5.0 Openstack Swift 1.6.0 Openstack Swift 1.7.0 Openstack Swift 1.7.2 Openstack Swift 1.7.4 Openstack Swift 1.7.5 Openstack Swift 1.7.6 Openstack Swift 1.8.0 Openstack Swift 1.9.0 Openstack Swift 1.9.1 Openstack Swift 1.9.2 Openstack Swift 1.10.0 Openstack Swift 1.11.0 Openstack Swift 1.12.0 Openstack Swift 1.13.0 Openstack Swift 1.13.1 Openstack Swift 2.1.0	43

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

Nessus

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-2704-1.NASL
description	Rajaneesh Singh discovered Swift does not properly enforce metadata limits. An attacker could abuse this issue to store more metadata than allowed by policy. (CVE-2014-7960) Clay Gerrard discovered Swift allowed users to delete the latest version of object regardless of object permissions when allow_version is configured. An attacker could use this issue to delete objects. (CVE-2015-1856). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	85252
published	2015-08-06
reporter	Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/85252
title	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : swift vulnerabilities (USN-2704-1)

Redhat

advisories

rhsa
id RHSA-2015:0835
rhsa
id RHSA-2015:0836
rhsa
id RHSA-2015:1495

rpms

openstack-swift-0:1.13.1-4.el7ost
openstack-swift-account-0:1.13.1-4.el7ost
openstack-swift-container-0:1.13.1-4.el7ost
openstack-swift-doc-0:1.13.1-4.el7ost
openstack-swift-object-0:1.13.1-4.el7ost
openstack-swift-proxy-0:1.13.1-4.el7ost
openstack-swift-0:1.13.1-4.el6ost
openstack-swift-account-0:1.13.1-4.el6ost
openstack-swift-container-0:1.13.1-4.el6ost
openstack-swift-doc-0:1.13.1-4.el6ost
openstack-swift-object-0:1.13.1-4.el6ost
openstack-swift-proxy-0:1.13.1-4.el6ost
augeas-0:1.0.0-10.el6
augeas-debuginfo-0:1.0.0-10.el6
augeas-devel-0:1.0.0-10.el6
augeas-libs-0:1.0.0-10.el6
ccs-0:0.16.2-81.el6
check-mk-0:1.2.6p1-3.el6rhs
check-mk-debuginfo-0:1.2.6p1-3.el6rhs
check-mk-livestatus-0:1.2.6p1-3.el6rhs
clufter-cli-0:0.11.2-1.el6
clufter-debuginfo-0:0.11.2-1.el6
clufter-lib-ccs-0:0.11.2-1.el6
clufter-lib-general-0:0.11.2-1.el6
clufter-lib-pcs-0:0.11.2-1.el6
cluster-cim-0:0.16.2-31.el6
cluster-debuginfo-0:3.0.12.1-73.el6
cluster-snmp-0:0.16.2-31.el6
clusterlib-0:3.0.12.1-73.el6
clusterlib-devel-0:3.0.12.1-73.el6
clustermon-debuginfo-0:0.16.2-31.el6
cman-0:3.0.12.1-73.el6
corosync-0:1.4.7-2.el6
corosync-debuginfo-0:1.4.7-2.el6
corosynclib-0:1.4.7-2.el6
corosynclib-devel-0:1.4.7-2.el6
ctdb2.5-0:2.5.5-7.el6rhs
ctdb2.5-debuginfo-0:2.5.5-7.el6rhs
fence-virt-0:0.2.3-19.el6
fence-virt-debuginfo-0:0.2.3-19.el6
fence-virtd-0:0.2.3-19.el6
fence-virtd-checkpoint-0:0.2.3-19.el6
fence-virtd-libvirt-0:0.2.3-19.el6
fence-virtd-multicast-0:0.2.3-19.el6
fence-virtd-serial-0:0.2.3-19.el6
gfs2-utils-0:3.0.12.1-73.el6
gluster-nagios-addons-0:0.2.4-4.el6rhs
gluster-nagios-addons-debuginfo-0:0.2.4-4.el6rhs
gluster-nagios-common-0:0.2.0-1.el6rhs
glusterfs-0:3.7.1-11.el5
glusterfs-0:3.7.1-11.el6
glusterfs-0:3.7.1-11.el6rhs
glusterfs-api-0:3.7.1-11.el5
glusterfs-api-0:3.7.1-11.el6
glusterfs-api-0:3.7.1-11.el6rhs
glusterfs-api-devel-0:3.7.1-11.el5
glusterfs-api-devel-0:3.7.1-11.el6
glusterfs-api-devel-0:3.7.1-11.el6rhs
glusterfs-cli-0:3.7.1-11.el5
glusterfs-cli-0:3.7.1-11.el6
glusterfs-cli-0:3.7.1-11.el6rhs
glusterfs-client-xlators-0:3.7.1-11.el5
glusterfs-client-xlators-0:3.7.1-11.el6
glusterfs-client-xlators-0:3.7.1-11.el6rhs
glusterfs-debuginfo-0:3.7.1-11.el5
glusterfs-debuginfo-0:3.7.1-11.el6
glusterfs-debuginfo-0:3.7.1-11.el6rhs
glusterfs-devel-0:3.7.1-11.el5
glusterfs-devel-0:3.7.1-11.el6
glusterfs-devel-0:3.7.1-11.el6rhs
glusterfs-fuse-0:3.7.1-11.el5
glusterfs-fuse-0:3.7.1-11.el6
glusterfs-fuse-0:3.7.1-11.el6rhs
glusterfs-ganesha-0:3.7.1-11.el6rhs
glusterfs-geo-replication-0:3.7.1-11.el6rhs
glusterfs-libs-0:3.7.1-11.el5
glusterfs-libs-0:3.7.1-11.el6
glusterfs-libs-0:3.7.1-11.el6rhs
glusterfs-rdma-0:3.7.1-11.el5
glusterfs-rdma-0:3.7.1-11.el6
glusterfs-rdma-0:3.7.1-11.el6rhs
glusterfs-server-0:3.7.1-11.el6rhs
gstatus-0:0.64-3.1.el6rhs
gstatus-debuginfo-0:0.64-3.1.el6rhs
libqb-0:0.17.1-1.el6
libqb-debuginfo-0:0.17.1-1.el6
libqb-devel-0:0.17.1-1.el6
libtalloc-0:2.1.1-4.el6rhs
libtalloc-debuginfo-0:2.1.1-4.el6rhs
libtalloc-devel-0:2.1.1-4.el6rhs
libvirt-debuginfo-0:0.10.2-54.el6
libvirt-lock-sanlock-0:0.10.2-54.el6
modcluster-0:0.16.2-31.el6
nagios-plugins-0:1.4.16-12.el6rhs
nagios-plugins-debuginfo-0:1.4.16-12.el6rhs
nagios-plugins-dummy-0:1.4.16-12.el6rhs
nagios-plugins-ide_smart-0:1.4.16-12.el6rhs
nagios-plugins-nrpe-0:2.15-4.1.el6rhs
nagios-plugins-ping-0:1.4.16-12.el6rhs
nagios-plugins-procs-0:1.4.16-12.el6rhs
nagios-server-addons-0:0.2.1-4.el6rhs
nfs-ganesha-0:2.2.0-5.el6rhs
nfs-ganesha-debuginfo-0:2.2.0-5.el6rhs
nfs-ganesha-gluster-0:2.2.0-5.el6rhs
nfs-ganesha-nullfs-0:2.2.0-5.el6rhs
nrpe-0:2.15-4.1.el6rhs
nrpe-debuginfo-0:2.15-4.1.el6rhs
openais-0:1.1.1-7.el6
openais-debuginfo-0:1.1.1-7.el6
openaislib-0:1.1.1-7.el6
openaislib-devel-0:1.1.1-7.el6
openstack-swift-0:1.13.1-4.el6ost
openstack-swift-account-0:1.13.1-4.el6ost
openstack-swift-container-0:1.13.1-4.el6ost
openstack-swift-doc-0:1.13.1-4.el6ost
openstack-swift-object-0:1.13.1-4.el6ost
openstack-swift-proxy-0:1.13.1-4.el6ost
pacemaker-0:1.1.12-8.el6
pacemaker-cli-0:1.1.12-8.el6
pacemaker-cluster-libs-0:1.1.12-8.el6
pacemaker-cts-0:1.1.12-8.el6
pacemaker-debuginfo-0:1.1.12-8.el6
pacemaker-doc-0:1.1.12-8.el6
pacemaker-libs-0:1.1.12-8.el6
pacemaker-libs-devel-0:1.1.12-8.el6
pacemaker-remote-0:1.1.12-8.el6
pcs-0:0.9.139-9.el6
pcs-debuginfo-0:0.9.139-9.el6
pnp4nagios-0:0.6.22-2.1.el6rhs
pnp4nagios-debuginfo-0:0.6.22-2.1.el6rhs
pynag-0:0.9.1-1.el6rhs
pynag-examples-0:0.9.1-1.el6rhs
pytalloc-0:2.1.1-4.el6rhs
pytalloc-devel-0:2.1.1-4.el6rhs
python-blivet-1:1.0.0.2-1.el6rhs
python-clufter-0:0.11.2-1.el6
python-cpopen-0:1.3-4.el6_5
python-cpopen-debuginfo-0:1.3-4.el6_5
python-eventlet-0:0.14.0-1.el6
python-eventlet-doc-0:0.14.0-1.el6
python-gluster-0:3.7.1-11.el5
python-gluster-0:3.7.1-11.el6
python-gluster-0:3.7.1-11.el6rhs
python-greenlet-0:0.4.2-1.el6
python-greenlet-debuginfo-0:0.4.2-1.el6
python-greenlet-devel-0:0.4.2-1.el6
python-keystoneclient-1:0.9.0-5.el6ost
python-keystoneclient-doc-1:0.9.0-5.el6ost
python-prettytable-0:0.7.2-1.el6
python-pyudev-0:0.15-2.el6rhs
redhat-storage-logos-0:60.0.20-1.el6rhs
redhat-storage-server-0:3.1.0.3-1.el6rhs
resource-agents-0:3.9.5-24.el6
resource-agents-debuginfo-0:3.9.5-24.el6
resource-agents-sap-0:3.9.5-24.el6
ricci-0:0.16.2-81.el6
ricci-debuginfo-0:0.16.2-81.el6
userspace-rcu-0:0.7.9-2.el6rhs
userspace-rcu-debuginfo-0:0.7.9-2.el6rhs
userspace-rcu-devel-0:0.7.9-2.el6rhs
vdsm-0:4.16.20-1.2.el6rhs
vdsm-cli-0:4.16.20-1.2.el6rhs
vdsm-debug-plugin-0:4.16.20-1.2.el6rhs
vdsm-debuginfo-0:4.16.20-1.2.el6rhs
vdsm-gluster-0:4.16.20-1.2.el6rhs
vdsm-hook-ethtool-options-0:4.16.20-1.2.el6rhs
vdsm-hook-faqemu-0:4.16.20-1.2.el6rhs
vdsm-hook-openstacknet-0:4.16.20-1.2.el6rhs
vdsm-hook-qemucmdline-0:4.16.20-1.2.el6rhs
vdsm-jsonrpc-0:4.16.20-1.2.el6rhs
vdsm-python-0:4.16.20-1.2.el6rhs
vdsm-python-zombiereaper-0:4.16.20-1.2.el6rhs
vdsm-reg-0:4.16.20-1.2.el6rhs
vdsm-tests-0:4.16.20-1.2.el6rhs
vdsm-xmlrpc-0:4.16.20-1.2.el6rhs
vdsm-yajsonrpc-0:4.16.20-1.2.el6rhs

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Redhat

References