[openstack-dev] [kolla] Kolla-Ansible pip packages vulnerable to CVE-2018-1000115

Mathieu Goessens mathieu.goessens at imt-atlantique.fr
Mon Mar 26 14:36:00 UTC 2018

Hi folks,

I initially sent this mail privately, resending it to the list on request :

Kolla-Ansible https://docs.openstack.org/kolla-ansible/ pip packages
(recommended in the doc) are vulnerable to CVE-2018-1000115.

The patch have been commit, merged in stable/queens, stable/pike,
stable/ocata https://review.openstack.org/#/c/550686/. However, the pip
stable packages are still based on 5.0.1 which do not contain the fix
( which contains the fix is available in pip, but won't be
installed by default because its a prerelease).

While I understand that good security practices would recommend to
firewall etc, and that the fixes are available, I believe having
vulnerable packages in the default, recommend install, is an important

Moreover, I would like to suggest issuing a Security Advisory when
updated packages would be available, because :
- pip/system won't propose upgrades by default, users may not be aware
they are vulnerable.
- users can actually being hit by CVE-2018-1000115 and participate to DDOS.
- DDOS traffic pattern observed in my cloud are not big burst ones, but
follow some classic daily pattern that could looks legitimate and so
could stay unnoticeable for a long time (see graph,
http://pix.toile-libre.org/?img=1522070903.png, mostly if not only DDOS
traffic in)

How to verify :

git clone https://github.com/openstack/kolla-ansible ; cd kolla-ansible

git checkout tags/ ; git log | grep "Security memcached"

git checkout tags/5.0.1 ; git log | grep "Security memcached"


tar xvzf kolla-ansible-5.0.1.tar.gz

cat kolla-ansible-5.0.1/ansible/roles/memcached/templates/memcached.json.j2

(compare with https://review.openstack.org/#/c/550686/ if needed)

Mathieu Goessens
Research Engineer
IMT Atlantique

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180326/e8d93cd0/attachment.sig>

More information about the OpenStack-dev mailing list