[openstack-dev] [Openstack] [OSSN-0074] Nova metadata service should not be used for sensitive information

Jeremy Stanley fungi at yuggoth.org
Thu Jan 19 15:41:05 UTC 2017


On 2017-01-19 09:34:21 -0500 (-0500), Steve Gordon wrote:
[...]
> Does this configuration directive provide any mitigation for this
> issue?:
> 
> "use_forwarded_for = False         (BoolOpt) Treat X-Forwarded-For
> as the canonical remote address. Only enable this if you have a
> sanitizing proxy."
> 
> Just given its name and stated purpose it seems conspicuous by its
> absence in this OSSN (that is, even if it provides no mitigation
> at all I would have expected to see that noted)?
[...]

I agree it's unfortunate this was omitted in the discussion. If you
follow the original bug report[*], it's only applicable to
environments which set use_forwarded_for = True. The report can be
reduced to the following summary: If you configure nova's metadata
service to rely on X-Forwarded-For (by setting use_forwarded_for =
True) so that you can put a proxy in front of it, then you need to
make sure your network is correctly designed such that untrusted
systems are not allowed to connect directly to the service without
going through your proxy (and also make sure your proxy correctly
rewrites any existing X-Forwarded-For headers it may receive rather
than passing them through untouched).

[*] https://launchpad.net/bugs/1563954
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170119/43281879/attachment.pgp>


More information about the OpenStack-dev mailing list