Open Stack

Any idea what would have fixed it? My understanding of this report was
that it's an architectural issue in deployments where if you set up a
proxy (for example a load balancer) between the guest instances and the
metadata service then you need to be able to tell the metadata service
to look at the X-Forwarded-For header added by the load balancer to know
which instance is making the request. If you set that and your network
is mis-designed to allow instances to also contact the metadata service
directly without passing through the load balancer, then the request
from the instance can be specially constructed so as to include a
spoofed X-Forwarded-For header which allows it to obtain metadata for a
different instance associated with the address included in that injected
header.

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1563954

Title:
  use_forwarded_for exposes metadata

Status in OpenStack Compute (nova):
  Confirmed
Status in OpenStack Security Advisory:
  Opinion
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  The nova metadata service uses the remote address to determine which
  metadata to retrieve. In order to work behind a proxy there is an
  option use_forwarded_for which will use the X-Forwarded-For header to
  determine the remote IP.

  If this option is set then anyone who can access the metadata port can
  request metadata for any instance if they know the IP.

  The user data is also exposed.

  $ echo 123456 > /tmp/data
  $ openstack server create --image CentOS7 --flavor fedora --user-data /tmp/data test
  <wait>
  $ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/user-data/
  123456

  At a minimum this side-effect isn't documented anywhere I could find.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1563954/+subscriptions