[I've moved some of the subject keywords to topic tags in hopes they'll match more people's mail filters.] On 2022-08-01 12:29:30 +0530 (+0530), Swogat Pradhan wrote:
I am setting up an openstack wallaby cloud for a client using tripleo. After setting everything up the client ran a WEB scan and found some vulnerabilities (attached snapshot for reference).
Can you please guide me on how to fix these vulnerabilities in the dashboard service?
I'm one of the vulnerability coordinators for OpenStack, and while I don't have deep knowledge of Horizon or TripleO, I'll do my best to address some of these points until others are able to jump in with more specifics. No WAF Detected: This looks like your scanner wants you to put a "web application firewall" in front of Horizon. I'm going to guess TripleO doesn't incorporate one in its deployments, but you should theoretically be able to use whatever WAF you're using for other web-based services you're operating, or install one of your choice in your network. jQuery is Vulnerable: This is https://launchpad.net/bugs/1955556 and seems currently blocked by incompatibilities in jQuery-Migrate per https://launchpad.net/bugs/1914782 (as best I can tell). No Anti-CSRF tokens were found in a HTML submission form: It's hard to know whether this is a missed implementation for some interface or a misconfiguration. Is CSRF_COOKIE_SECURE turned on in your Horizon config? I see what looks like a HorizonSecureCookies option in tripleo-heat-templates and tripleo-ansible, which appears to default to false, so you might have to toggle that to true, though as I said I'm not all that familiar with TripleO's implementation, and it looks like it might normally get switched on if SSL/TLS is enabled, so maybe there's something else going on in your case. Brute force attack: The description there is vague. Is it talking about Keystone credential brute-forcing? If so, there are options you can turn on, for example PCI-DSS compliance related ones, to automatically lock out accounts after too many login failures. See https://docs.openstack.org/keystone/latest/admin/configuration.html#security... for details on these features. Hopefully that helps for a start, but others should be able to provide more in-depth answers. -- Jeremy Stanley