cnvd - cnvd-2017-30765

CNVD-2017-30765

Vulnerability from cnvd - Published: 2017-10-20

Title

Huawei FusionSphere OpenStack鉴权不当漏洞

Description

Huawei FusionSphere OpenStack（FSO）是FusionSphere在ICT场景中的云平台软件。 FusionSphere OpenStack存在鉴权不当漏洞，由于对访问用户的权限鉴权不当，攻击者通过伪造rest消息成功利用后可以执行更多的操作。

Severity

高

Patch Name

Huawei FusionSphere OpenStack鉴权不当漏洞的补丁

Patch Description

FusionSphere OpenStack存在鉴权不当漏洞，由于对访问用户的权限鉴权不当，攻击者通过伪造rest消息成功利用后可以执行更多的操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170830-02-OpenStack-cn

Reference

http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170830-02-OpenStack-cn

Impacted products

Name
Huawei FusionSphere OpenStack V100R006C10SPC003

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-8194"
    }
  },
  "description": "Huawei FusionSphere OpenStack\uff08FSO\uff09\u662fFusionSphere\u5728ICT\u573a\u666f\u4e2d\u7684\u4e91\u5e73\u53f0\u8f6f\u4ef6\u3002 \r\n\r\nFusionSphere OpenStack\u5b58\u5728\u9274\u6743\u4e0d\u5f53\u6f0f\u6d1e\uff0c\u7531\u4e8e\u5bf9\u8bbf\u95ee\u7528\u6237\u7684\u6743\u9650\u9274\u6743\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u901a\u8fc7\u4f2a\u9020rest\u6d88\u606f\u6210\u529f\u5229\u7528\u540e\u53ef\u4ee5\u6267\u884c\u66f4\u591a\u7684\u64cd\u4f5c\u3002",
  "discovererName": "Huawei",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170830-02-OpenStack-cn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-30765",
  "openTime": "2017-10-20",
  "patchDescription": "FusionSphere OpenStack\u5b58\u5728\u9274\u6743\u4e0d\u5f53\u6f0f\u6d1e\uff0c\u7531\u4e8e\u5bf9\u8bbf\u95ee\u7528\u6237\u7684\u6743\u9650\u9274\u6743\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u901a\u8fc7\u4f2a\u9020rest\u6d88\u606f\u6210\u529f\u5229\u7528\u540e\u53ef\u4ee5\u6267\u884c\u66f4\u591a\u7684\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Huawei FusionSphere OpenStack\u9274\u6743\u4e0d\u5f53\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Huawei FusionSphere OpenStack V100R006C10SPC003"
  },
  "referenceLink": "http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170830-02-OpenStack-cn",
  "serverity": "\u9ad8",
  "submitTime": "2017-08-31",
  "title": "Huawei FusionSphere OpenStack\u9274\u6743\u4e0d\u5f53\u6f0f\u6d1e"
}

CVE-2017-8194 (GCVE-0-2017-8194)

Vulnerability from cvelistv5 – Published: 2017-11-22 19:00 – Updated: 2024-09-17 02:58

Summary

The FusionSphere OpenStack V100R006C00SPC102(NFV) has an improper authentication vulnerability. Due to improper authentication on one port, an authenticated, remote attacker may exploit the vulnerability to execute more operations by send a crafted rest message.

Severity ?

No CVSS data available.

CWE

Improper Authentication

Assigner

huawei

References

URL

Tags

	http://www.huawei.com/en/psirt/security-advisorie…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/102209	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	Huawei Technologies Co., Ltd.	FusionSphere OpenStack	Affected: V100R006C00SPC102(NFV)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:27:23.248Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170830-02-OpenStack-en"
          },
          {
            "name": "102209",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102209"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FusionSphere OpenStack",
          "vendor": "Huawei Technologies Co., Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "V100R006C00SPC102(NFV)"
            }
          ]
        }
      ],
      "datePublic": "2017-11-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The FusionSphere OpenStack V100R006C00SPC102(NFV) has an improper authentication vulnerability. Due to improper authentication on one port, an authenticated, remote attacker may exploit the vulnerability to execute more operations by send a crafted rest message."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper Authentication",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-12-19T10:57:01",
        "orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
        "shortName": "huawei"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170830-02-OpenStack-en"
        },
        {
          "name": "102209",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102209"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@huawei.com",
          "DATE_PUBLIC": "2017-11-15T00:00:00",
          "ID": "CVE-2017-8194",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "FusionSphere OpenStack",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "V100R006C00SPC102(NFV)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Huawei Technologies Co., Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The FusionSphere OpenStack V100R006C00SPC102(NFV) has an improper authentication vulnerability. Due to improper authentication on one port, an authenticated, remote attacker may exploit the vulnerability to execute more operations by send a crafted rest message."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Authentication"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170830-02-OpenStack-en",
              "refsource": "CONFIRM",
              "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170830-02-OpenStack-en"
            },
            {
              "name": "102209",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102209"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
    "assignerShortName": "huawei",
    "cveId": "CVE-2017-8194",
    "datePublished": "2017-11-22T19:00:00Z",
    "dateReserved": "2017-04-25T00:00:00",
    "dateUpdated": "2024-09-17T02:58:03.206Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-30765

CVE-2017-8194 (GCVE-0-2017-8194)

Tags

Sightings

Nomenclature