[Openstack] [OSSG][OSSN] Configure Horizon to mitigate BREACH/CRIME attacks

Clark, Robert Graham robert.clark at hp.com
Thu Sep 19 17:34:26 UTC 2013


Configure Horizon to mitigate BREACH/CRIME attacks
-----

### Summary ###
In its default configuration Horizon is vulnerable to BREACH/CRIME style
chosen plaintext attacks which may allow an attacker to execute CSRF
attacks.

### Affected Services / Software ###
Horizon, Django, Apache, NGinx,

### Discussion ###
The BREACH attack may be used to compromise Django's CSRF protection.
OpenStack's Horizon web dashboard is built with Django and consequently
affected. There is no Horizon patch but there are protection options.

BREACH takes advantage of vulnerabilities when serving compressed data
over SSL/TLS.

### Recommended Actions ###
Disable Django's GZIP Middleware
https://docs.djangoproject.com/en/dev/ref/middleware/#module-django.midd
leware.gzip
Disable GZip compression in your web server's config:
* Apache: Disable mod_deflate 
    * http://httpd.apache.org/docs/2.2/mod/mod_deflate.html
* Nginx: Disable the gzip module
    * http://wiki.nginx.org/HttpGzipModule

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1209250
Django advice on BREACH :
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
More info on BREACH : http://breachattack.com/
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130919/8adcfb85/attachment.bin>


More information about the Openstack mailing list