[Openstack-security] Fwd: [Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!

Sriram Subramanian sriram at sriramhere.com
Tue Dec 24 00:43:17 UTC 2013


Dear OSSG,

Anybody seen this? Can we follow up with him for more details?

thanks,
-Sriram

---------- Forwarded message ----------
From: Martinx - ジェームズ <thiagocmartinsc at gmail.com>
Date: Sun, Dec 22, 2013 at 9:37 AM
Subject: [Openstack] Security Breach! Tenant A is seeing the VNC Consoles
of Tenant B!
To: "openstack at lists.openstack.org" <openstack at lists.openstack.org>


Stackers!

I need a bit help here...

My OpenStack Havana (Ubuntu 12.04.3) was working smoothly and, I don't know
what had happened here but, now, I'm seeing some weird problems.

Right now, the "Tenant A" is seeing the VNC Consoles of "Tenant B" !!!

How is that even possible?! There is no authentication here to deal with
this kind of things!? I'm really worried about this.

Look:

"Tenant A" Instances:

[image: Inline images 1]


"Tenant A" accessing the VNC Console of a "Tenant B" Instance!!!

[image: Inline images 2]


This is a very serious problem, since I'm giving to the "Tenant A", almost
total access to "Tenant B" Instances!! This kind of situation should NEVER
occur!

What can I do to completely block this?

I just started a new Instance for "Tenant A", and I'm seeing ANOTHER VNC
Console from "Tenant B"!!

Regards,
Thiago

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




-- 
Thanks,
-Sriram
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131223/2d5579be/attachment.html>


More information about the Openstack-security mailing list