[openstack-dev] [kolla] Kolla-Ansible pip packages vulnerable to CVE-2018-1000115
mathieu.goessens at imt-atlantique.fr
Mon Mar 26 14:36:00 UTC 2018
I initially sent this mail privately, resending it to the list on request :
Kolla-Ansible https://docs.openstack.org/kolla-ansible/ pip packages
(recommended in the doc) are vulnerable to CVE-2018-1000115.
The patch have been commit, merged in stable/queens, stable/pike,
stable/ocata https://review.openstack.org/#/c/550686/. However, the pip
stable packages are still based on 5.0.1 which do not contain the fix
(22.214.171.124rc2 which contains the fix is available in pip, but won't be
installed by default because its a prerelease).
While I understand that good security practices would recommend to
firewall etc, and that the fixes are available, I believe having
vulnerable packages in the default, recommend install, is an important
Moreover, I would like to suggest issuing a Security Advisory when
updated packages would be available, because :
- pip/system won't propose upgrades by default, users may not be aware
they are vulnerable.
- users can actually being hit by CVE-2018-1000115 and participate to DDOS.
- DDOS traffic pattern observed in my cloud are not big burst ones, but
follow some classic daily pattern that could looks legitimate and so
could stay unnoticeable for a long time (see graph,
http://pix.toile-libre.org/?img=1522070903.png, mostly if not only DDOS
How to verify :
git clone https://github.com/openstack/kolla-ansible ; cd kolla-ansible
git checkout tags/126.96.36.199rc2 ; git log | grep "Security memcached"
git checkout tags/5.0.1 ; git log | grep "Security memcached"
tar xvzf kolla-ansible-5.0.1.tar.gz
(compare with https://review.openstack.org/#/c/550686/ if needed)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the OpenStack-dev