Mirantis OpenStack

Backport of CVE-2015-3219 fix into Horizon

Bug #1462095 reported by Timur Sufiev
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
Critical
Timur Sufiev
Mirantis OpenStack 6.1
5.1.x
Invalid
Critical
MOS Maintenance
Mirantis OpenStack 5.1.1-updates
6.0.x
Fix Released
Critical
Alexey Khivin
Mirantis OpenStack 6.0-mu-4

Bug Description

Title: XSS in Horizon Heat stack creation
Reporter: Nikita Konovalov (Mirantis)
Products: Horizon
Affects: 2014.2 versions through 2014.2.3 and version 2015.1.0

Description:
Nikita Konovalov from Mirantis reported a vulnerability in Horizon. By
tricking a Horizon user into using a malicious template in the
Orchestration/Stack section of Horizon, a remote attacker may trigger a
cross-site-scripting vulnerability during the stack creation. It may
result in potential assets theft like user access credentials. Only
setups exposing the orchestration dashboard in Horizon are affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/juno, stable/kilo and master on the public
disclosure date.

CVE: CVE-2015-3219

Proposed public disclosure date/time:
2015-06-09, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.

Timur Sufiev (tsufiev-x)
Changed in mos:
milestone: none → 6.1
assignee: nobody → Timur Sufiev (tsufiev-x)
Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

The fix being backported is at https://review.fuel-infra.org/#/c/7530/

tags: added: horizon
Timur Sufiev (tsufiev-x)
Changed in mos:
status: New → Fix Committed
Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

Changing the status to Public Security because disclosure date had passed already.

information type: Private Security → Public Security
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/horizon (openstack-ci/fuel-6.0-updates/2014.2)

Fix proposed to branch: openstack-ci/fuel-6.0-updates/2014.2
Change author: Timur Sufiev <email address hidden>
Review: https://review.fuel-infra.org/7879

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/horizon (openstack-ci/fuel-7.0/2015.1.0)

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Timur Sufiev <email address hidden>
Review: https://review.fuel-infra.org/8163

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/horizon (openstack-ci/fuel-6.0-updates/2014.2)

Reviewed: https://review.fuel-infra.org/7879
Submitter: Alex Khivin <email address hidden>
Branch: openstack-ci/fuel-6.0-updates/2014.2

Commit: f3ebfbfc8fb7610ad90e4b1401911791efc437a1
Author: Timur Sufiev <email address hidden>
Date: Tue Jun 16 11:43:37 2015

[PATCH] Escape the description param from heat template

The heat template allows user to define custom parameters,
the fields are then converted to input fields. The description
param maps to the help_text attribute of the field.

Since the value comes from the user, the value must be escaped
before rendering.

Change-Id: I557f5143aafb246bdf838379e4b263a97db7a552
Closes-bug: #1462095
(cherry picked from commit dcd4729c2021514002dbf6967848b02fb6c04b84)

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/horizon (openstack-ci/fuel-7.0/2015.1.0)

Change abandoned by Timur Sufiev <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Review: https://review.fuel-infra.org/8163
Reason: According to https://docs.google.com/spreadsheets/d/1vF4Iah_ZfE69z2y-qP2cNxQ23Vzag2pknex4xzlRJBM/edit#gid=74888541

Timur Nurlygayanov (tnurlygayanov)
Changed in mos:
status: Fix Committed → Fix Released
Adam Heczko (aheczko-mirantis)
tags: added: feature-security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.