[openstack-dev] [kolla] Kolla-Ansible pip packages vulnerable to CVE-2018-1000115

Jeffrey Zhang zhang.lei.fly at gmail.com
Mon Mar 26 15:40:58 UTC 2018


Hi Mathieu,

Thanks for raising this issue.

The patch is merged on all branches but not released[0].We will release the
next release ASAP.

But on the other hand, if you build an OpenStack cloud through kolla and be
accessible through
the internet, you'd better use an external network(interface) for internet
access. There are lots of port
enabled on the internal network. like MariaDB, Memcached.

[0]
https://review.openstack.org/#/q/I30acb41f1209c0d07eb58f4feec91bc53146dcea

On Mon, Mar 26, 2018 at 10:36 PM, Mathieu Goessens <
mathieu.goessens at imt-atlantique.fr> wrote:

> Hi folks,
>
> I initially sent this mail privately, resending it to the list on request :
>
> Kolla-Ansible https://docs.openstack.org/kolla-ansible/ pip packages
> (recommended in the doc) are vulnerable to CVE-2018-1000115.
>
> The patch have been commit, merged in stable/queens, stable/pike,
> stable/ocata https://review.openstack.org/#/c/550686/. However, the pip
> stable packages are still based on 5.0.1 which do not contain the fix
> (6.0.0.0rc2 which contains the fix is available in pip, but won't be
> installed by default because its a prerelease).
>
> While I understand that good security practices would recommend to
> firewall etc, and that the fixes are available, I believe having
> vulnerable packages in the default, recommend install, is an important
> issue.
>
> Moreover, I would like to suggest issuing a Security Advisory when
> updated packages would be available, because :
> - pip/system won't propose upgrades by default, users may not be aware
> they are vulnerable.
> - users can actually being hit by CVE-2018-1000115 and participate to DDOS.
> - DDOS traffic pattern observed in my cloud are not big burst ones, but
> follow some classic daily pattern that could looks legitimate and so
> could stay unnoticeable for a long time (see graph,
> http://pix.toile-libre.org/?img=1522070903.png, mostly if not only DDOS
> traffic in)
>
> -------------------------------------
> How to verify :
>
> git clone https://github.com/openstack/kolla-ansible ; cd kolla-ansible
>
> git checkout tags/6.0.0.0rc2 ; git log | grep "Security memcached"
>
> git checkout tags/5.0.1 ; git log | grep "Security memcached"
>
>
> wget
> https://pypi.python.org/packages/cc/f2/27d9e75f2fe142b2a73c57023b055a
> a9a50e49ba69d7da9c7808c4f25ac1/kolla-ansible-5.0.1.tar.gz#md5=
> 6456618318b58d844ae57b47e34ee569
>
> tar xvzf kolla-ansible-5.0.1.tar.gz
>
> cat kolla-ansible-5.0.1/ansible/roles/memcached/templates/
> memcached.json.j2
>
> (compare with https://review.openstack.org/#/c/550686/ if needed)
>
>
> Cheers,
> --
> Mathieu Goessens
> Research Engineer
> IMT Atlantique
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Regards,
Jeffrey Zhang
Blog: http://xcodest.me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180326/57ffa636/attachment.html>


More information about the OpenStack-dev mailing list