Broken Security Link on Website and general bad discoverability of security related information
Hi, I just noticed, while researching information regarding these two CVEs: https://nvd.nist.gov/vuln/detail/CVE-2021-3177 https://nvd.nist.gov/vuln/detail/CVE-2021-23336 That the Link to the Security Contacts on the Website is broken: https://www.openstack.org/openstack-security/ is a 404 for me. I found the dead link here: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce Another "Bug" imho is, that there is no information how to contact the security team on the main website, and the search for "security" does not really yield good results how to contact the security team either. If someone has any information on these vulnerabilities and how they affect openstack I'd be delighted to hear from you. a cursory search of gerrit didn't yield anything. If I search the website using the integrated search for the CVE the top result is some 2021 Board Election.. RedHat and Suse both state that their distributions of openstack are affected: https://access.redhat.com/security/cve/cve-2021-23336 https://www.suse.com/security/cve/CVE-2021-23336/ So I guess the base distro is also affected, as these are core openstack components imho? Thanks for you time. -- Mit freundlichen Grüßen / Regards Sven Kieske Systementwickler Mittwald CM Service GmbH & Co. KG Königsberger Straße 4-6 32339 Espelkamp Tel.: 05772 / 293-900 Fax: 05772 / 293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer, Florian Jürgens St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen Informationen zur Datenverarbeitung im Rahmen unserer Geschäftstätigkeit gemäß Art. 13-14 DSGVO sind unter www.mittwald.de/ds abrufbar.
On 2021-02-25 09:21:17 +0000 (+0000), Sven Kieske wrote:
I just noticed, while researching information regarding these two CVEs:
Yes, those are indeed serious bugs, but OpenStack does not officially distribute the Python interpreter nor its source code. We generally recommend sensitive and production users of our software consume our dependencies from a trusted distributor of those components (for example, a major GNU/Linux distribution). OpenStack's Vulnerability Management Team is focused on vulnerabilities within the software OpenStack produces.
That the Link to the Security Contacts on the Website is broken:
https://www.openstack.org/openstack-security/ is a 404 for me.
I found the dead link here:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce
Thanks, it looks like we were embedding some very old URLs in the footer for our mailing list site which pointed to the foundation's site for OpenStack rather than the community-managed security information. I have proposed https://review.opendev.org/777602 to correct this oversight.
Another "Bug" imho is, that there is no information how to contact the security team on the main website, and the search for "security" does not really yield good results how to contact the security team either.
I agree, I've brought this up with the foundation web development team who maintain that website for us, I'll raise it with them again and find out if they can work out something for better discoverability. I'm not sure why it keeps disappearing or getting moved, but I'll do my best to impress on them that having security contact information linked from the most prominent pages (of not every page) is important for our users. If you'd stumbled onto their page about the "Community" at https://www.openstack.org/community/ you'd see a "User resources" section under "Contributor Resources" (yep, that's confusing) in the footer with a link to "Security advisories" which is a fairly terrible place for that to be hidden.
If someone has any information on these vulnerabilities and how they affect openstack I'd be delighted to hear from you.
OpenStack is written primarily in Python, so it is entirely possible for OpenStack to expose bugs in that dependency in a variety of ways, as would be the case for any of OpenStack's thousands of dependencies (after all, in most cases OpenStack depends on having an operating system, and can likely expose bugs just about anywhere within it for at least some configurations). I won't begin to pretend I can examine the entire surface area of our millions of lines of source code to point out the various ways that might happen. Suffice to say, you should patch or upgrade your Python interpreter using the packages supplied by your distribution. The same goes for any vulnerability you're worried about, really.
a cursory search of gerrit didn't yield anything. If I search the website using the integrated search for the CVE the top result is some 2021 Board Election..
Again, sorry that you couldn't find the security site, but for reference it's https://security.openstack.org/ (and we'll get the incorrect links you found corrected to that in short order). You'll only find advisories there for vulnerabilities in the software which is produced by the OpenStack community, so for example advisories about software produced by the Python community would be somewhere on or linked from the python.org site instead.
RedHat and Suse both state that their distributions of openstack are affected:
https://access.redhat.com/security/cve/cve-2021-23336 https://www.suse.com/security/cve/CVE-2021-23336/
So I guess the base distro is also affected, as these are core openstack components imho?
There is no "base distro" of OpenStack. Red Hat and SUSE both produce distributions of OpenStack which, strictly speaking, means OpenStack software combined with other software such as OpenStack's dependencies and an operating system to run it all on. So in those cases it's the Python interpreters in their distributions which the vulnerabilities you linked are affecting, but not the OpenStack software which they're also including in the distributions. -- Jeremy Stanley
So I guess the base distro is also affected, as these are core openstack components imho?
There is no "base distro" of OpenStack. Red Hat and SUSE both produce distributions of OpenStack which, strictly speaking, means OpenStack software combined with other software such as OpenStack's dependencies and an operating system to run it all on. So in those cases it's the Python interpreters in their distributions which the vulnerabilities you linked are affecting, but not the OpenStack software which they're also including in the distributions. ya with my downstream hat on the python interpreter and standard libs are not considerd to be part of the openstack porduct
On Thu, 2021-02-25 at 15:06 +0000, Jeremy Stanley wrote: they are part of the base operating system distrbution and we just use them in the openstack product. i would not consider CVEs in the python interpreation to be a CVE in openstack. openstack would cerntely be affected by it but its outside of the openstack prodcution tems hands to fix. from an upstream perespective i also agree there is no base distibution of openstack + and interpreter. there is the upstream repostiorys of the openstack project hosted on https://opendev.org but we do not distribute a python runtime or all of the external libvaries aht openstack depends on as a signel distibution so those CVE appear to be outside the scope of the openstack vulnerablity team to adress. that does not mean the openstack comunity does not care about them they just are not part of the softwaere we maintaine and devleop.
On 2021-02-25 15:06:33 +0000 (+0000), Jeremy Stanley wrote:
On 2021-02-25 09:21:17 +0000 (+0000), Sven Kieske wrote: [...]
That the Link to the Security Contacts on the Website is broken:
https://www.openstack.org/openstack-security/ is a 404 for me.
I found the dead link here:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce
Thanks, it looks like we were embedding some very old URLs in the footer for our mailing list site which pointed to the foundation's site for OpenStack rather than the community-managed security information. I have proposed https://review.opendev.org/777602 to correct this oversight.
The change to correct this is now merged and deployed, so the links go to the appropriate location. Thanks again for pointing it out.
Another "Bug" imho is, that there is no information how to contact the security team on the main website, and the search for "security" does not really yield good results how to contact the security team either.
I agree, I've brought this up with the foundation web development team who maintain that website for us, I'll raise it with them again and find out if they can work out something for better discoverability. I'm not sure why it keeps disappearing or getting moved, but I'll do my best to impress on them that having security contact information linked from the most prominent pages (of not every page) is important for our users. [...]
The answer I got was that they used to have a security-related topics page linked in the drop-down navigation and page footers, but removed it because it contained some stale content. Unfortunately it also contained critical links to our community-managed security information site, which they didn't notice/consider. Huge thanks to the foundation web developers for quickly readding a link to https://security.openstack.org/ from the global page footer block for all of https://www.openstack.org/ so that users should be more readily able to find this information again. -- Jeremy Stanley
Thanks for all the detailed answers and for forwarding the message to the appropriate people. I'm aware that upstream openstack is not really a "distribution", guess I was just sloppy with my wording, apologies for that. Also thanks for correcting my assumption that openstack was directly shipping code which I thought to be vulnerable. From my initial reading I thought that e.g. the tornado webserver was vulnerable directly and when I found the redhat/suse sites claiming that their openstack releases where affected I thought this must have a different meaning, than just using a vulnerable python version, as the bugs in the python implementation are listed separately on these pages. Of course tornado only gets installed via pip/third party repositories, so if the upstreams get fixed no further action is needed. Thanks for all your input, it's much appreciated. -- Mit freundlichen Grüßen / Regards Sven Kieske Systementwickler Mittwald CM Service GmbH & Co. KG Königsberger Straße 4-6 32339 Espelkamp Tel.: 05772 / 293-900 Fax: 05772 / 293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer, Florian Jürgens St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen Informationen zur Datenverarbeitung im Rahmen unserer Geschäftstätigkeit gemäß Art. 13-14 DSGVO sind unter www.mittwald.de/ds abrufbar.
participants (3)
-
Jeremy Stanley
-
Sean Mooney
-
Sven Kieske