<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">Hi Mathieu,</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">Thanks for raising this issue.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">The patch is merged on all branches but not released[0].We will release the next release ASAP.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">But on the other hand, if you build an OpenStack cloud through kolla and be accessible through</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">the internet, you'd better use an external network(interface) for internet access. There are lots of port</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">enabled on the internal network. like MariaDB, Memcached. </div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">[0] <a href="https://review.openstack.org/#/q/I30acb41f1209c0d07eb58f4feec91bc53146dcea">https://review.openstack.org/#/q/I30acb41f1209c0d07eb58f4feec91bc53146dcea</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 26, 2018 at 10:36 PM, Mathieu Goessens <span dir="ltr"><<a href="mailto:mathieu.goessens@imt-atlantique.fr" target="_blank">mathieu.goessens@imt-atlantique.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi folks,<br>
<br>
I initially sent this mail privately, resending it to the list on request :<br>
<br>
Kolla-Ansible <a href="https://docs.openstack.org/kolla-ansible/" rel="noreferrer" target="_blank">https://docs.openstack.org/<wbr>kolla-ansible/</a> pip packages<br>
(recommended in the doc) are vulnerable to CVE-2018-1000115.<br>
<br>
The patch have been commit, merged in stable/queens, stable/pike,<br>
stable/ocata <a href="https://review.openstack.org/#/c/550686/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/550686/</a>. However, the pip<br>
stable packages are still based on 5.0.1 which do not contain the fix<br>
(6.0.0.0rc2 which contains the fix is available in pip, but won't be<br>
installed by default because its a prerelease).<br>
<br>
While I understand that good security practices would recommend to<br>
firewall etc, and that the fixes are available, I believe having<br>
vulnerable packages in the default, recommend install, is an important<br>
issue.<br>
<br>
Moreover, I would like to suggest issuing a Security Advisory when<br>
updated packages would be available, because :<br>
- pip/system won't propose upgrades by default, users may not be aware<br>
they are vulnerable.<br>
- users can actually being hit by CVE-2018-1000115 and participate to DDOS.<br>
- DDOS traffic pattern observed in my cloud are not big burst ones, but<br>
follow some classic daily pattern that could looks legitimate and so<br>
could stay unnoticeable for a long time (see graph,<br>
<a href="http://pix.toile-libre.org/?img=1522070903.png" rel="noreferrer" target="_blank">http://pix.toile-libre.org/?<wbr>img=1522070903.png</a>, mostly if not only DDOS<br>
traffic in)<br>
<br>
------------------------------<wbr>-------<br>
How to verify :<br>
<br>
git clone <a href="https://github.com/openstack/kolla-ansible" rel="noreferrer" target="_blank">https://github.com/openstack/<wbr>kolla-ansible</a> ; cd kolla-ansible<br>
<br>
git checkout tags/6.0.0.0rc2 ; git log | grep "Security memcached"<br>
<br>
git checkout tags/5.0.1 ; git log | grep "Security memcached"<br>
<br>
<br>
wget<br>
<a href="https://pypi.python.org/packages/cc/f2/27d9e75f2fe142b2a73c57023b055aa9a50e49ba69d7da9c7808c4f25ac1/kolla-ansible-5.0.1.tar.gz#md5=6456618318b58d844ae57b47e34ee569" rel="noreferrer" target="_blank">https://pypi.python.org/<wbr>packages/cc/f2/<wbr>27d9e75f2fe142b2a73c57023b055a<wbr>a9a50e49ba69d7da9c7808c4f25ac1<wbr>/kolla-ansible-5.0.1.tar.gz#<wbr>md5=<wbr>6456618318b58d844ae57b47e34ee5<wbr>69</a><br>
<br>
tar xvzf kolla-ansible-5.0.1.tar.gz<br>
<br>
cat kolla-ansible-5.0.1/ansible/<wbr>roles/memcached/templates/<wbr>memcached.json.j2<br>
<br>
(compare with <a href="https://review.openstack.org/#/c/550686/" rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/550686/</a> if needed)<br>
<br>
<br>
Cheers,<br>
<span class="HOEnZb"><font color="#888888">--<br>
Mathieu Goessens<br>
Research Engineer<br>
IMT Atlantique<br>
<br>
</font></span><br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Regards,</font></span></div><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Jeffrey Zhang</font></span></div><div><span style="font-family:monospace,monospace;font-size:12.8px">Blog: </span><a href="http://xcodest.me/" style="font-family:monospace,monospace;font-size:12.8px" target="_blank">http://xcodest.me</a><font face="monospace, monospace"><br></font></div></div></div></div></div></div></div></div></div>
</div>