[Openstack-security] [Bug 1537175] Re: /info for Swift clusters includes Swift version
Tristan Cacqueray
tdecacqu at redhat.com
Fri Jan 22 19:39:38 UTC 2016
I removed the privacy settings based on above comments.
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New => Won't Fix
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1537175
Title:
/info for Swift clusters includes Swift version
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Object Storage (swift):
Invalid
Bug description:
If querying /info on a Swift cluster, like
https://swift.example.com/info, it will return the Swift version it
runs.
Example: "version": "2.5.0.2.1"
This is a security risk, especially for Internet-facing clusters. In
light of the recent CVEs (released on or around 2016-01-21), any
Internet-facing cluster not yet patched with the fixes, can be easily
queried for its version and the vulnerabilities can be readily taken
advantage of. Hence, /info should probably not include the running
Swift version.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1537175/+subscriptions
More information about the Openstack-security
mailing list