[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!

Gary Kotton gkotton at vmware.com
Mon Dec 23 14:51:32 UTC 2013 

Hi,
Which driver are you using? For the Vmware driver we found an edge case
where this may happen - please see
https://bugs.launchpad.net/nova/+bug/1255609 and the fix for this is
(https://review.openstack.org/#/c/58994/).
Thanks
Gary


On 12/23/13 3:16 PM, "Jay Pipes" <jaypipes at gmail.com> wrote:

>On 12/22/2013 12:37 PM, Martinx - ジェームズ wrote:
>> Stackers!
>>
>> I need a bit help here...
>>
>> My OpenStack Havana (Ubuntu 12.04.3) was working smoothly and, I don't
>> know what had happened here but, now, I'm seeing some weird problems.
>>
>> Right now, the "Tenant A" is seeing the VNC Consoles of "Tenant B" !!!
>>
>> How is that even possible?! There is no authentication here to deal with
>> this kind of things!? I'm really worried about this.
>>
>> Look:
>>
>> "Tenant A" Instances:
>>
>> Inline images 1
>>
>>
>> "Tenant A" accessing the VNC Console of a "Tenant B" Instance!!!
>>
>> Inline images 2
>>
>>
>> This is a very serious problem, since I'm giving to the "Tenant A",
>> almost total access to "Tenant B" Instances!! This kind of situation
>> should NEVER occur!
>>
>> What can I do to completely block this?
>>
>> I just started a new Instance for "Tenant A", and I'm seeing ANOTHER VNC
>> Console from "Tenant B"!!
>
>Thiago, yes, this is indeed a major security breach. If you have not
>already, please create a bug in Launchpad with your image attachments
>and a description to reproduce the bug if you can. Please mark the bug
>as a security/private bug.
>
>Thank you!
>-jay
>
>
>_______________________________________________
>Mailing list: 
>https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-
>bin/mailman/listinfo/openstack&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=eH0px
>TUZo8NPZyF6hgoMQu%2BfDtysg45MkPhCZFxPEq8%3D%0A&m=9zlG7EzeXdrgbFxbGhS%2Bh8h
>4d0crA1SrR3PuTcIvYVY%3D%0A&s=671911c8510352d2b56807e0170038b46dd1491a8b274
>7f0e17231a0eb333da0
>Post to     : openstack at lists.openstack.org
>Unsubscribe : 
>https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-
>bin/mailman/listinfo/openstack&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=eH0px
>TUZo8NPZyF6hgoMQu%2BfDtysg45MkPhCZFxPEq8%3D%0A&m=9zlG7EzeXdrgbFxbGhS%2Bh8h
>4d0crA1SrR3PuTcIvYVY%3D%0A&s=671911c8510352d2b56807e0170038b46dd1491a8b274
>7f0e17231a0eb333da0

More information about the Openstack mailing list