[openstack-dev] [Horizon][Security] BREACH/CRIME Attack Information

Robert Collins robertc at robertcollins.net
Wed Aug 7 09:20:37 UTC 2013


On 7 August 2013 20:30, Thierry Carrez <thierry at openstack.org> wrote:
> Gabriel Hurley wrote:
>> Many of you have probably heard about the "BREACH" attack/security vulnerability in HTTPS traffic that was disclosed recently, and I'd like to take a moment to provide some info about how that affects Horizon. I'm not following the official vulnerability management process because 1. The vulnerability is already disclosed publicly, 2. Workaround information has already been published by Django and many others, and 3. There's no one-off code fix on our end so awareness is the best possible thing.
>
> Agree that there is nothing to patch in our code at this point and
> therefore no base for an OpenStack Security Advisory (OSSA). The
> information you provided would still make a great OpenStack Security
> Note (OSSN), though. Those are issued by the OpenStack Security Group, I
> CC-ed Rob Clark so that he puts it on his radar.

Note that our API services are likely a rich target too - when running
under SSL it should be fairly straight forward to get minor changes to
the payload from keystone (e.g. with repeated token calls - but I
don't know the API well enough to speculate in detail).

-Rob

-- 
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud



More information about the OpenStack-dev mailing list