Mirantis OpenStack

[OSSA 2015-009] Sanitation of metadata label (CVE-2015-3988)

Bug #1468744 reported by Vlad Okhrimenko on 2015-06-25

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Fix Released	Critical	Vlad Okhrimenko	Mirantis OpenStack 7.0
6.0.x	Fix Released	Critical	Alexander Nevenchannyy	Mirantis OpenStack 6.0-mu-5
6.1.x	Fix Released	Critical	MOS Maintenance	Mirantis OpenStack 6.1-mu-2
7.0.x	Fix Released	Critical	Vlad Okhrimenko	Mirantis OpenStack 7.0

Bug Description

1) Start up Horizon
2) Go to Images
3) Next to an image, pick "Update Metadata"
4) From the dropdown button, select "Update Metadata"
5) In the Custom box, enter a value with some HTML like:
'<img>'
'<script><script>'
'</script><script>alert(1)</script>//'
and click +
6) On the right-hand side, give it a value, like "ee"
7) Click "Save"
8) Pick "Update Metadata" for the image again, the page will fail to load, and the JavaScript console says:

SyntaxError: invalid property id
var existing_metadata = {"

An alternative is if you change the URL to update_metadata for the image (for example, http://192.168.122.239/admin/images/fa62ba27-e731-4ab9-8487-f31bac355b4c/update_metadata/), it will actually display the alert box and a bunch of junk.

I'm not sure if update_metadata is actually a page, though... can't figure out how to get to it other than typing it in.

See original description

Tags:

CVE References

2015-3988

Revision history for this message

Vlad Okhrimenko (vokhrimenko) wrote on 2015-06-25:

upstream bug https://bugs.launchpad.net/horizon/+bug/1449260

Changed in mos:
assignee:	nobody → Vlad Okhrimenko (vokhrimenko)
status:	New → In Progress
tags:	added: horizon

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-06-25: Fix proposed to openstack/horizon (openstack-ci/fuel-6.1/2014.2)

Fix proposed to branch: openstack-ci/fuel-6.1/2014.2
Change author: Thai Tran <email address hidden>
Review: https://review.fuel-infra.org/8473

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-06-25: Fix proposed to openstack/horizon (openstack-ci/fuel-7.0/2015.1.0)

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Thai Tran <email address hidden>
Review: https://review.fuel-infra.org/8475

Timur Sufiev (tsufiev-x) on 2015-06-25

Changed in mos:
importance:	Undecided → Critical

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-06-25: Fix merged to openstack/horizon (openstack-ci/fuel-6.1/2014.2)

Reviewed: https://review.fuel-infra.org/8473
Submitter: mos-infra-ci <>
Branch: openstack-ci/fuel-6.1/2014.2

Commit: 60f9d110584fcf6b90608faaf6a01530568a70ea
Author: Thai Tran <email address hidden>
Date: Thu Jun 25 12:07:44 2015

Sanitation of metadata passed from Django

We need to escape HTML in metadata passed from Django, which
can lead to security issues. Refer to the bug for more details.

Co-Authored-By: Szymon Wroblewski <email address hidden>
Closes-bug: #1468744
cherry picked from commit e7f3e0880f4e311c768c413e43317674cb234515

Conflicts:
horizon/templates/horizon/common/_modal_form_update_metadata.html

Change-Id: I9f749b689f9901db265b208ae917693a6f4a784f

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-06-25: Fix proposed to openstack/horizon (openstack-ci/fuel-6.0-updates/2014.2)

Fix proposed to branch: openstack-ci/fuel-6.0-updates/2014.2
Change author: Thai Tran <email address hidden>
Review: https://review.fuel-infra.org/8493

Vladimir Kuklin (vkuklin) on 2015-06-29

tags:

added: 6.1-mu-1

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-01: Fix proposed to patching-tests (stable/6.1)

Fix proposed to branch: stable/6.1
Change author: Vadim Rovachev <email address hidden>
Review: https://review.fuel-infra.org/8925

Vadim Rovachev (vrovachev) on 2015-07-01

description:

updated

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-07-01:

Bug reproduced after install patch https://review.fuel-infra.org/#/c/8493/

Revision history for this message

Vitaly Sedelnik (vsedelnik) wrote on 2015-07-06:

Changing the status to In Progress for 6.1.x, the review https://review.fuel-infra.org/8473 is merged however it still requires additional validation for 6.1.x (the last comment references review for 6.0-updates, not 6.1.x).

Vadim - please try to reproduce the issue in 6.1 with the fix from https://review.fuel-infra.org/8473 and change the status accordingly, thanks!

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-07-07:

This bug cannot be verified because we have another bug, which affects this bug.
Upstream bug: https://bugs.launchpad.net/glance/+bug/1471215
Fuel bug: https://bugs.launchpad.net/fuel/+bug/1472241

Revision history for this message

Vitaly Sedelnik (vsedelnik) wrote on 2015-07-07:

#10

Removed from 6.1-mu-1 scope because the fix depends on https://bugs.launchpad.net/fuel/+bug/1472241 - to be included into 6.1-mu-2

Revision history for this message

Denis Meltsaykin (dmeltsaykin) wrote on 2015-07-08:

#11

Our current deployment scheme uses haproxy as a frontend to every component. With the default configuration haproxy denies using "<>" in transmitted headers as it's considered as invalid. As changing glance API (may be other APIs too?) looks not like a good solution, I'd suggest to change haproxy's glance frontend configuration with `accept-invalid-http-response` option in order to pass headers unchanged. In my opinion, this would be good aligned with upstream's scheme which assumes that there is no any proxy or header-filtering in front of the glance API.

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-08: Change abandoned on patching-tests (stable/6.1)

#12

Change abandoned by Alexey Shtokolov <email address hidden> on branch: stable/6.1
Review: https://review.fuel-infra.org/9086

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-08: Change restored on patching-tests (stable/6.1)

#13

Change restored by Alexey Shtokolov <email address hidden> on branch: stable/6.1
Review: https://review.fuel-infra.org/9086

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-10: Fix merged to patching-tests (stable/6.1)

#14

Reviewed: https://review.fuel-infra.org/9086
Submitter: Vitaly Sedelnik <email address hidden>
Branch: stable/6.1

Commit: 7218c80b9ac7e3c4a31374e491da02ad32fc1710
Author: Alex Ermolov <email address hidden>
Date: Fri Jul 10 12:09:56 2015

Sanitation of metadata label

Closes-Bug: #1468744
Change-Id: I4fa9f4db0887cd34b4579ff35eb51c5051c3eed9

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-16: Fix merged to openstack/horizon (openstack-ci/fuel-7.0/2015.1.0)

#15

Reviewed: https://review.fuel-infra.org/8475
Submitter: mos-infra-ci <>
Branch: openstack-ci/fuel-7.0/2015.1.0

Commit: 9c959c2f8de5d0b4bd1d6996b6b4427865113c0d
Author: Thai Tran <email address hidden>
Date: Thu Jul 16 10:35:59 2015

Sanitation of metadata passed from Django

We need to escape HTML in metadata passed from Django, which
can lead to security issues. Refer to the bug for more details.

Co-Authored-By: Szymon Wroblewski <email address hidden>
Closes-bug: #1468744
cherry picked from commit e7f3e0880f4e311c768c413e43317674cb234515

Change-Id: I9625404f9b48d746ad76b4c806e5305db4264319

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-24: Fix proposed to patching-tests (master)

#16

Fix proposed to branch: master
Change author: Vadim Rovachev <email address hidden>
Review: https://review.fuel-infra.org/9850

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-24: Change abandoned on patching-tests (master)

#17

Change abandoned by Vadim Rovachev <email address hidden> on branch: master
Review: https://review.fuel-infra.org/9850

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-08-06: Fix merged to openstack/horizon (openstack-ci/fuel-6.0-updates/2014.2)

#18

Reviewed: https://review.fuel-infra.org/8493
Submitter: mos-infra-ci <>
Branch: openstack-ci/fuel-6.0-updates/2014.2

Commit: e5edda043fc30e02307bd4e849e9c8959cfe59ed
Author: Thai Tran <email address hidden>
Date: Thu Jun 25 17:03:28 2015

Sanitation of metadata passed from Django

We need to escape HTML in metadata passed from Django, which
can lead to security issues. Refer to the bug for more details.

Co-Authored-By: Szymon Wroblewski <email address hidden>
Closes-bug: #1468744
cherry picked from commit e7f3e0880f4e311c768c413e43317674cb234515

Conflicts:
horizon/templates/horizon/common/_modal_form_update_metadata.html

Change-Id: I9f749b689f9901db265b208ae917693a6f4a784f
(cherry picked from commit 60f9d110584fcf6b90608faaf6a01530568a70ea)

Olena Logvinova (ologvinova) on 2015-08-11

tags:

added: 6.0-mu-5 done release-notes

Olena Logvinova (ologvinova) on 2015-08-11

tags:	removed: 6.0-mu-5
tags:	added: 6.0-mu-5

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-08-13:

#19

This fix does not work without change haproxy parameters.
In order to make this fix work you need to add parameter:
option accept-invalid-http-response
to /etc/haproxy/haproxy.cfg
and reset haproxy using pacemaker.

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-08-13:

#20

verified for 6.0 with workaround for haproxy.

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-08-20:

#21

verified for 6.1 with workaround for haproxy.

Revision history for this message

oleksii shyman (oshyman) wrote on 2015-08-31:

#22

verified on ISO #246 for 7.0 with workaround for haproxy
how this haproxy will be solved in production?

tags:

added: on-verification

oleksii shyman (oshyman) on 2015-09-01

tags:

removed: on-verification

Olena Logvinova (ologvinova) on 2015-09-09

tags:

added: 7.0

Olena Logvinova (ologvinova) on 2015-09-11

tags:

added: release-notes-done-7.0
removed: 7.0 done release-notes

Olena Logvinova (ologvinova) on 2015-09-14

tags:	added: 7.0 release-notes-done removed: release-notes-done-7.0
tags:	added: rn7.0 removed: 7.0
tags:	added: rn6.0-mu-5 rn6.1-mu-1 removed: 6.0-mu-5 6.1-mu-1

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-10-29: Fix proposed to openstack/horizon (openstack-ci/fuel-8.0/liberty)

#23

Fix proposed to branch: openstack-ci/fuel-8.0/liberty
Change author: Thai Tran <email address hidden>
Review: https://review.fuel-infra.org/13381

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-11-03: Change abandoned on openstack/horizon (openstack-ci/fuel-8.0/liberty)

#24

Change abandoned by Paul Karikh <email address hidden> on branch: openstack-ci/fuel-8.0/liberty
Review: https://review.fuel-infra.org/13381

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-02-15: Change abandoned on patching-tests (stable/6.1)

#25

Change abandoned by Vadim Rovachev <email address hidden> on branch: stable/6.1
Review: https://review.fuel-infra.org/8925

Adam Heczko (aheczko-mirantis) on 2016-06-21

tags:

added: feature-security

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1472241

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.