<div dir="ltr"><div>That's  great .<br></div>Thanks to Tristan and paul.<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div><div>Regards<b><br><font size="1">Jitendra</font></b><font size="1"><br></font></div><div><font size="1">+91-9989743042</font><br></div><div><br></div><br></div></div><br><div><div><div><br></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, Mar 13, 2015 at 11:16 PM, Tristan Cacqueray <span dir="ltr"><<a href="mailto:tristan.cacqueray@enovance.com" target="_blank">tristan.cacqueray@enovance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">==========================================================<br>
OSSA-2015-005: Nova console Cross-Site WebSocket hijacking<br>
==========================================================<br>
<br>
:Date: March 13, 2015<br>
:CVE: CVE-2015-0259<br>
<br>
<br>
Affects<br>
~~~~~~~<br>
- Nova: up to 2014.1.3 and 2014.2 versions up to 2014.2.2<br>
<br>
<br>
Description<br>
~~~~~~~~~~~<br>
Brian Manifold from Cisco and Paul McMillan from Nebula reported a<br>
vulnerability in Nova console websocket. By tricking an authenticated<br>
user into visiting a malicious URL, a remote attacker or a man in the<br>
middle may exploit a cross-site-websocket-hijacking vulnerability<br>
resulting in potential hijack of consoles where the user is still<br>
logged in. Only Nova setups with vnc or spice enabled are affected.<br>
<br>
<br>
Patches<br>
~~~~~~~<br>
- <a href="https://review.openstack.org/163035" target="_blank">https://review.openstack.org/163035</a> (Icehouse)<br>
- <a href="https://review.openstack.org/163034" target="_blank">https://review.openstack.org/163034</a> (Juno)<br>
- <a href="https://review.openstack.org/163033" target="_blank">https://review.openstack.org/163033</a> (Kilo)<br>
<br>
<br>
Credits<br>
~~~~~~~<br>
- Brian Manifold from Cisco (CVE-2015-0259)<br>
- Paul McMillan from Nebula (CVE-2015-0259)<br>
<br>
<br>
References<br>
~~~~~~~~~~<br>
- <a href="https://launchpad.net/bugs/1409142" target="_blank">https://launchpad.net/bugs/1409142</a><br>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0259" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0259</a><br>
<br>
<br>
Notes<br>
~~~~~<br>
- This fix is included in 2014.1.4 (icehouse) release and it will be included<br>
  in the kilo-3 development milestone and in the future 2014.2.3 (juno)<br>
  release.<br>
<br>
--<br>
Tristan Cacqueray<br>
OpenStack Vulnerability Management Team<br>
<br>
<br>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to     : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div>