[horizon][security-sig][tripleo] Security vulnerabilities in Horizon dashboard | Openstack Wallaby
Jeremy Stanley
fungi at yuggoth.org
Mon Aug 1 14:17:31 UTC 2022
[I've moved some of the subject keywords to topic tags in hopes
they'll match more people's mail filters.]
On 2022-08-01 12:29:30 +0530 (+0530), Swogat Pradhan wrote:
> I am setting up an openstack wallaby cloud for a client using tripleo.
> After setting everything up the client ran a WEB scan and found some
> vulnerabilities (attached snapshot for reference).
>
> Can you please guide me on how to fix these vulnerabilities in the
> dashboard service?
I'm one of the vulnerability coordinators for OpenStack, and while I
don't have deep knowledge of Horizon or TripleO, I'll do my best to
address some of these points until others are able to jump in with
more specifics.
No WAF Detected: This looks like your scanner wants you to put a
"web application firewall" in front of Horizon. I'm going to guess
TripleO doesn't incorporate one in its deployments, but you should
theoretically be able to use whatever WAF you're using for other
web-based services you're operating, or install one of your choice
in your network.
jQuery is Vulnerable: This is https://launchpad.net/bugs/1955556 and
seems currently blocked by incompatibilities in jQuery-Migrate per
https://launchpad.net/bugs/1914782 (as best I can tell).
No Anti-CSRF tokens were found in a HTML submission form: It's hard
to know whether this is a missed implementation for some interface
or a misconfiguration. Is CSRF_COOKIE_SECURE turned on in your
Horizon config? I see what looks like a HorizonSecureCookies option
in tripleo-heat-templates and tripleo-ansible, which appears to
default to false, so you might have to toggle that to true, though
as I said I'm not all that familiar with TripleO's implementation,
and it looks like it might normally get switched on if SSL/TLS is
enabled, so maybe there's something else going on in your case.
Brute force attack: The description there is vague. Is it talking
about Keystone credential brute-forcing? If so, there are options
you can turn on, for example PCI-DSS compliance related ones, to
automatically lock out accounts after too many login failures. See
https://docs.openstack.org/keystone/latest/admin/configuration.html#security-compliance-and-pci-dss
for details on these features.
Hopefully that helps for a start, but others should be able to
provide more in-depth answers.
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220801/406eef75/attachment.sig>
More information about the openstack-discuss
mailing list