[openstack-dev] [nova][stable][OSSA 2015-005] Nova console Cross-Site WebSocket hijacking (CVE-2015-0259)

Jeremy Stanley fungi at yuggoth.org
Thu Mar 26 20:23:40 UTC 2015

On 2015-03-26 14:29:03 -0400 (-0400), Lars Kellogg-Stedman wrote:
> The solution, of course, is to make sure that the value of
> novncproxy_base_url is set explicitly where the nova-novncproxy
> service is running. This is a bit of a hack, since the service
> *really* only cares about the protocol portion of the URL,
> suggesting that maybe a new configuration option would have been a
> less intrusive solution.

Thanks for the heads up. The developers working to backport security
fixes to stable branches try to come up with ways to have them
automatically applicable without configuration changes on the part
of the deployers consuming them. Sometimes it's possible, sometimes
it's not, and sometimes they think it is but turn out in retrospect
to have introduced an unintended behavior change. Unfortunately I
think that last possibility is what happened for this bug[1].

It's worth bringing this to the attention of the Nova developers who
implemented the original fix to see if there's a better stable
solution which achieves the goal of protecting deployments where
operators aren't likely to update their configuration while still
maintaining consistent behavior. To that end, I'm Cc'ing the
openstack-dev list, setting MFT and tagging the subject accordingly.

[1] https://launchpad.net/bugs/1409142
Jeremy Stanley

More information about the OpenStack-dev mailing list