[openstack-dev] [nova][stable][OSSA 2015-005] Nova console Cross-Site WebSocket hijacking (CVE-2015-0259)

Tristan Cacqueray tristan.cacqueray at enovance.com
Tue Mar 31 21:35:16 UTC 2015


On 03/26/2015 04:23 PM, Jeremy Stanley wrote:
> On 2015-03-26 14:29:03 -0400 (-0400), Lars Kellogg-Stedman wrote:
> [...]
>> The solution, of course, is to make sure that the value of
>> novncproxy_base_url is set explicitly where the nova-novncproxy
>> service is running. This is a bit of a hack, since the service
>> *really* only cares about the protocol portion of the URL,
>> suggesting that maybe a new configuration option would have been a
>> less intrusive solution.
> [...]
> 
> Thanks for the heads up. The developers working to backport security
> fixes to stable branches try to come up with ways to have them
> automatically applicable without configuration changes on the part
> of the deployers consuming them. Sometimes it's possible, sometimes
> it's not, and sometimes they think it is but turn out in retrospect
> to have introduced an unintended behavior change. Unfortunately I
> think that last possibility is what happened for this bug[1].
> 
> It's worth bringing this to the attention of the Nova developers who
> implemented the original fix to see if there's a better stable
> solution which achieves the goal of protecting deployments where
> operators aren't likely to update their configuration while still
> maintaining consistent behavior. To that end, I'm Cc'ing the
> openstack-dev list, setting MFT and tagging the subject accordingly.
> 
> [1] https://launchpad.net/bugs/1409142
> 

Thanks Lars for bringing this up!

I've submitted a documentation change to document that new behavior[2]
and I'd like to amend the release note[3] with this:

There is a known issue with the new websocket origin access control
(OSSA 2015-005): ValidationError will prevent VNC and SPICE connection
if base_urls are not properly configured. The novncproxy_base_url and
html5proxy_base_url now need to match the TLS settings of the connection
origin and needs to be set explicitly where the nova proxy service is
running.

Feedback are most welcome...

[2]: https://review.openstack.org/169515
[3]: https://wiki.openstack.org/wiki/ReleaseNotes/2014.1.4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150331/398938a7/attachment.pgp>


More information about the OpenStack-dev mailing list