[Openstack] [OSSA 2015-005] Nova console Cross-Site WebSocket hijacking (CVE-2015-0259)
Lars Kellogg-Stedman
lars at redhat.com
Thu Mar 26 18:29:03 UTC 2015
On Fri, Mar 13, 2015 at 01:46:43PM -0400, Tristan Cacqueray wrote:
> - This fix is included in 2014.1.4 (icehouse) release and it will be included
> in the kilo-3 development milestone and in the future 2014.2.3 (juno)
> release.
Something that should be noted here (and possibly more prominently
somewhere else) is that these changes will break many formerly working
configurations.
Previously, the value of novncproxy_base_url was used only by
nova-compute, and is often *not* set explicitly on hosts running the
nova-novncproxy service. Because the value of novncproxy_base_url
defaults to an "http://" url, anyone using https:// console
connections will find that their connections are now rejected with:
ValidationError: Origin header protocol does not match this host
The solution, of course, is to make sure that the value of
novncproxy_base_url is set explicitly where the nova-novncproxy
service is running. This is a bit of a hack, since the service
*really* only cares about the protocol portion of the URL, suggesting
that maybe a new configuration option would have been a less intrusive
solution.
If nothing else, this requires documentation updates to make the new
behavior obvious.
--
Lars Kellogg-Stedman <lars at redhat.com> | larsks @ {freenode,twitter,github}
Cloud Engineering / OpenStack | http://blog.oddbit.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150326/c867c5d7/attachment.sig>
More information about the Openstack
mailing list