Moderate severityNVD Advisory· Published Jun 21, 2012· Updated Apr 29, 2026
CVE-2012-2654
CVE-2012-2654
Description
The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
novaPyPI | < 12.0.0a0 | 12.0.0a0 |
Affected products
3Patches
2ff06c7c885dcFix up protocol case handling for security groups.
3 files changed · +4 −4
nova/api/ec2/cloud.py+1 −1 modified@@ -598,7 +598,7 @@ def _rule_dict_last_step(self, context, to_port=None, from_port=None, to_port=to_port, msg="For ICMP, the" " type:code must be valid") - values['protocol'] = ip_protocol + values['protocol'] = ip_protocol.lower() values['from_port'] = from_port values['to_port'] = to_port else:
nova/api/openstack/compute/contrib/security_groups.py+1 −1 modified@@ -524,7 +524,7 @@ def _rule_args_to_dict(self, context, to_port=None, from_port=None, to_port=to_port, msg="For ICMP, the" " type:code must be valid") - values['protocol'] = ip_protocol + values['protocol'] = ip_protocol.lower() values['from_port'] = from_port values['to_port'] = to_port else:
nova/virt/firewall.py+2 −2 modified@@ -331,8 +331,8 @@ def instance_rules(self, instance, network_info): else: fw_rules = ipv6_rules - protocol = rule.protocol - if version == 6 and rule.protocol == 'icmp': + protocol = rule.protocol.lower() + if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT']
9f9e9da77716Fix up protocol case handling for security groups.
3 files changed · +4 −4
nova/api/ec2/cloud.py+1 −1 modified@@ -610,7 +610,7 @@ def _rule_dict_last_step(self, context, to_port=None, from_port=None, to_port=to_port, msg="For ICMP, the" " type:code must be valid") - values['protocol'] = ip_protocol + values['protocol'] = ip_protocol.lower() values['from_port'] = from_port values['to_port'] = to_port else:
nova/api/openstack/compute/contrib/security_groups.py+1 −1 modified@@ -497,7 +497,7 @@ def _rule_args_to_dict(self, context, to_port=None, from_port=None, to_port=to_port, msg="For ICMP, the" " type:code must be valid") - values['protocol'] = ip_protocol + values['protocol'] = ip_protocol.lower() values['from_port'] = from_port values['to_port'] = to_port else:
nova/virt/firewall.py+2 −2 modified@@ -300,8 +300,8 @@ def instance_rules(self, instance, network_info): else: fw_rules = ipv6_rules - protocol = rule.protocol - if version == 6 and rule.protocol == 'icmp': + protocol = rule.protocol.lower() + if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT']
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- bugs.launchpad.net/nova/+bug/985184nvdPatchWEB
- github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978nvdExploitPatchWEB
- github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654nvdExploitPatchWEB
- secunia.com/advisories/46808nvdVendor Advisory
- secunia.com/advisories/49439nvdVendor Advisory
- github.com/advisories/GHSA-46r8-9cj7-pw6gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-2654ghsaADVISORY
- www.ubuntu.com/usn/USN-1466-1nvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/76110nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/nova/PYSEC-2012-37.yamlghsaWEB
- lists.launchpad.net/openstack/msg12883.htmlnvdWEB
- review.openstack.orgghsaWEB
- review.openstack.orgnvd
News mentions
0No linked articles in our index yet.