[Openstack-security] [Bug 1563954] Re: use_forwarded_for exposes metadata
Jeremy Stanley
fungi at yuggoth.org
Mon Dec 19 15:10:04 UTC 2016
[that was me correcting the bug type/tags a moment ago, I just forgot I
was still logged into a test account instead of this one]
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1563954
Title:
use_forwarded_for exposes metadata
Status in OpenStack Compute (nova):
Confirmed
Status in OpenStack Security Advisory:
Opinion
Status in OpenStack Security Notes:
Fix Released
Bug description:
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed (private)
security vulnerabilities before their coordinated publication by the
OpenStack Vulnerability Management Team in the form of an official
OpenStack Security Advisory. This includes discussion of the bug or
associated fixes in public forums such as mailing lists, code review
systems and bug trackers. Please also avoid private disclosure to
other individuals not already approved for access to this information,
and provide this same reminder to those who are made aware of the
issue prior to publication. All discussion should remain confined to
this private bug report, and any proposed fixes should be added to the
bug as attachments.
--
The nova metadata service uses the remote address to determine which
metadata to retrieve. In order to work behind a proxy there is an
option use_forwarded_for which will use the X-Forwarded-For header to
determine the remote IP.
If this option is set then anyone who can access the metadata port can
request metadata for any instance if they know the IP.
The user data is also exposed.
$ echo 123456 > /tmp/data
$ openstack server create --image CentOS7 --flavor fedora --user-data /tmp/data test
<wait>
$ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/user-data/
123456
At a minimum this side-effect isn't documented anywhere I could find.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1563954/+subscriptions
More information about the Openstack-security
mailing list