[openstack-dev] [kolla] Kolla-Ansible pip packages vulnerable to CVE-2018-1000115

Mathieu Goessens mathieu.goessens at imt-atlantique.fr
Mon Mar 26 14:36:00 UTC 2018 

Hi folks,

I initially sent this mail privately, resending it to the list on request :

Kolla-Ansible https://docs.openstack.org/kolla-ansible/ pip packages
(recommended in the doc) are vulnerable to CVE-2018-1000115.

The patch have been commit, merged in stable/queens, stable/pike,
stable/ocata https://review.openstack.org/#/c/550686/. However, the pip
stable packages are still based on 5.0.1 which do not contain the fix
(6.0.0.0rc2 which contains the fix is available in pip, but won't be
installed by default because its a prerelease).

While I understand that good security practices would recommend to
firewall etc, and that the fixes are available, I believe having
vulnerable packages in the default, recommend install, is an important
issue.

Moreover, I would like to suggest issuing a Security Advisory when
updated packages would be available, because :
- pip/system won't propose upgrades by default, users may not be aware
they are vulnerable.
- users can actually being hit by CVE-2018-1000115 and participate to DDOS.
- DDOS traffic pattern observed in my cloud are not big burst ones, but
follow some classic daily pattern that could looks legitimate and so
could stay unnoticeable for a long time (see graph,
http://pix.toile-libre.org/?img=1522070903.png, mostly if not only DDOS
traffic in)

-------------------------------------
How to verify :

git clone https://github.com/openstack/kolla-ansible ; cd kolla-ansible

git checkout tags/6.0.0.0rc2 ; git log | grep "Security memcached"

git checkout tags/5.0.1 ; git log | grep "Security memcached"


wget
https://pypi.python.org/packages/cc/f2/27d9e75f2fe142b2a73c57023b055aa9a50e49ba69d7da9c7808c4f25ac1/kolla-ansible-5.0.1.tar.gz#md5=6456618318b58d844ae57b47e34ee569

tar xvzf kolla-ansible-5.0.1.tar.gz

cat kolla-ansible-5.0.1/ansible/roles/memcached/templates/memcached.json.j2

(compare with https://review.openstack.org/#/c/550686/ if needed)


Cheers,
-- 
Mathieu Goessens
Research Engineer
IMT Atlantique

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180326/e8d93cd0/attachment.sig>

More information about the OpenStack-dev mailing list