Configure Horizon to mitigate BREACH/CRIME attacks ----- ### Summary ### In its default configuration Horizon is vulnerable to BREACH/CRIME style chosen plaintext attacks which may allow an attacker to execute CSRF attacks. ### Affected Services / Software ### Horizon, Django, Apache, NGinx, ### Discussion ### The BREACH attack may be used to compromise Django's CSRF protection. OpenStack's Horizon web dashboard is built with Django and consequently affected. There is no Horizon patch but there are protection options. BREACH takes advantage of vulnerabilities when serving compressed data over SSL/TLS. ### Recommended Actions ### Disable Django's GZIP Middleware https://docs.djangoproject.com/en/dev/ref/middleware/#module-django.midd leware.gzip Disable GZip compression in your web server's config: * Apache: Disable mod_deflate * http://httpd.apache.org/docs/2.2/mod/mod_deflate.html * Nginx: Disable the gzip module * http://wiki.nginx.org/HttpGzipModule ### Contacts / References ### This OSSN : https://bugs.launchpad.net/ossn/+bug/1209250 Django advice on BREACH : https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ More info on BREACH : http://breachattack.com/ OpenStack Security ML : openstack-security at lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6187 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130919/8adcfb85/attachment.bin>