[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!
Martinx - ジェームズ
thiagocmartinsc at gmail.com
Mon Dec 23 19:59:44 UTC 2013
Okay! But, I don't know how to reproduce this. Mostly because this
situation appeared "out of nothing" and I have no knowledge to go deep
inside OpenStack to see the problem in details.
Nevertheless, I can open my system for debug.
Also, I'll try to get more details about what's going on here...
Tks!
Thiago
On 23 December 2013 11:16, Jay Pipes <jaypipes at gmail.com> wrote:
> On 12/22/2013 12:37 PM, Martinx - ジェームズ wrote:
>
>> Stackers!
>>
>> I need a bit help here...
>>
>> My OpenStack Havana (Ubuntu 12.04.3) was working smoothly and, I don't
>> know what had happened here but, now, I'm seeing some weird problems.
>>
>> Right now, the "Tenant A" is seeing the VNC Consoles of "Tenant B" !!!
>>
>> How is that even possible?! There is no authentication here to deal with
>> this kind of things!? I'm really worried about this.
>>
>> Look:
>>
>> "Tenant A" Instances:
>>
>> Inline images 1
>>
>>
>> "Tenant A" accessing the VNC Console of a "Tenant B" Instance!!!
>>
>> Inline images 2
>>
>>
>> This is a very serious problem, since I'm giving to the "Tenant A",
>> almost total access to "Tenant B" Instances!! This kind of situation
>> should NEVER occur!
>>
>> What can I do to completely block this?
>>
>> I just started a new Instance for "Tenant A", and I'm seeing ANOTHER VNC
>> Console from "Tenant B"!!
>>
>
> Thiago, yes, this is indeed a major security breach. If you have not
> already, please create a bug in Launchpad with your image attachments and a
> description to reproduce the bug if you can. Please mark the bug as a
> security/private bug.
>
> Thank you!
> -jay
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131223/59da1e75/attachment.html>
More information about the Openstack
mailing list