[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!

Martinx - ジェームズ thiagocmartinsc at gmail.com
Mon Dec 23 19:42:40 UTC 2013 

I'm using Havana + Ubuntu 12.04.3 + KVM.


On 23 December 2013 12:51, Gary Kotton <gkotton at vmware.com> wrote:

> Hi,
> Which driver are you using? For the Vmware driver we found an edge case
> where this may happen - please see
> https://bugs.launchpad.net/nova/+bug/1255609 and the fix for this is
> (https://review.openstack.org/#/c/58994/).
> Thanks
> Gary
>
>
> On 12/23/13 3:16 PM, "Jay Pipes" <jaypipes at gmail.com> wrote:
>
> >On 12/22/2013 12:37 PM, Martinx - ジェームズ wrote:
> >> Stackers!
> >>
> >> I need a bit help here...
> >>
> >> My OpenStack Havana (Ubuntu 12.04.3) was working smoothly and, I don't
> >> know what had happened here but, now, I'm seeing some weird problems.
> >>
> >> Right now, the "Tenant A" is seeing the VNC Consoles of "Tenant B" !!!
> >>
> >> How is that even possible?! There is no authentication here to deal with
> >> this kind of things!? I'm really worried about this.
> >>
> >> Look:
> >>
> >> "Tenant A" Instances:
> >>
> >> Inline images 1
> >>
> >>
> >> "Tenant A" accessing the VNC Console of a "Tenant B" Instance!!!
> >>
> >> Inline images 2
> >>
> >>
> >> This is a very serious problem, since I'm giving to the "Tenant A",
> >> almost total access to "Tenant B" Instances!! This kind of situation
> >> should NEVER occur!
> >>
> >> What can I do to completely block this?
> >>
> >> I just started a new Instance for "Tenant A", and I'm seeing ANOTHER VNC
> >> Console from "Tenant B"!!
> >
> >Thiago, yes, this is indeed a major security breach. If you have not
> >already, please create a bug in Launchpad with your image attachments
> >and a description to reproduce the bug if you can. Please mark the bug
> >as a security/private bug.
> >
> >Thank you!
> >-jay
> >
> >
> >_______________________________________________
> >Mailing list:
> >
> https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-
> >bin/mailman/listinfo/openstack&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=eH0px
> >TUZo8NPZyF6hgoMQu%2BfDtysg45MkPhCZFxPEq8%3D%0A&m=9zlG7EzeXdrgbFxbGhS%2Bh8h
> >4d0crA1SrR3PuTcIvYVY%3D%0A&s=671911c8510352d2b56807e0170038b46dd1491a8b274
> >7f0e17231a0eb333da0
> >Post to     : openstack at lists.openstack.org
> >Unsubscribe :
> >
> https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-
> >bin/mailman/listinfo/openstack&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=eH0px
> >TUZo8NPZyF6hgoMQu%2BfDtysg45MkPhCZFxPEq8%3D%0A&m=9zlG7EzeXdrgbFxbGhS%2Bh8h
> >4d0crA1SrR3PuTcIvYVY%3D%0A&s=671911c8510352d2b56807e0170038b46dd1491a8b274
> >7f0e17231a0eb333da0
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131223/1a1d685c/attachment.html>

More information about the Openstack mailing list