OpenStack Compute (nova)

Cross-site web socket connections fail on Origin and Host header mismatch

Bug #1474079 reported by Mike Dorman on 2015-07-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Undecided	Mike Dorman	OpenStack Compute (nova) 12.0.0 "liberty"

Bug Description

The Kilo web socket proxy implementation for Nova consoles added an Origin header validation to ensure the Origin hostname matches the hostname from the Host header. This was a result of the following XSS security bug: https://bugs.launchpad.net/nova/+bug/1409142 (CVE-2015-0259)

In other words, this requires that the web UI being used (Horizon, or whatever) having a URL hostname which is the same as the hostname by which the console proxy is accessed. This is a safe assumption for Horizon. However, we have a use case where our (custom) UI runs at a different URL than does the console proxies, and thus we need to allow cross-site web socket connections. The patch for 1409142 (https://github.secureserver.net/cloudplatform/els-nova/commit/fdb73a2d445971c6158a80692c6f74094fd4193a) breaks this functionality for us.

Would like to have some way to enable controlled XSS web socket connections to the console proxy services, maybe via a nova config parameter providing a list of allowed origin hosts?

Tags:

CVE References

2015-0259

Markus Zoeller (markus_z) (mzoeller) on 2015-07-14

tags:

added: console

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-14: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/201677

Changed in nova:
assignee:	nobody → Mike Dorman (mdorman-m)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-10: Fix merged to nova (master)

Reviewed: https://review.openstack.org/201677
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=95f1d47bb54cf18b3c8cdf8d36c261b977afd017
Submitter: Jenkins
Branch: master

commit 95f1d47bb54cf18b3c8cdf8d36c261b977afd017
Author: Mike Dorman <email address hidden>
Date: Tue Jul 14 11:25:50 2015 -0600

Add console allowed origins setting

    Adds a DEFAULT/console_allowed_origins to the console
    websocket proxy to allow connections from other Origin hostnames
    (other than only the hostname in the Host header.)

    Origin header checking was introduced in
    https://review.openstack.org/#/c/163033/ as a fix for bug 1409142
    and CVE-2015-0259. However there are valid use cases where you
    want to do cross-site web socket connections.

This patch allows for controlled cross-site web socket connections
to the console proxy services.

DocImpact

Change-Id: If7995bb7afc255f5ad834dc8a7044ef38b6cb335
Closes-bug: 1474079

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-09-03

Changed in nova:
milestone:	none → liberty-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in nova:
milestone:	liberty-3 → 12.0.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-06: Fix proposed to nova (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/302387

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-06: Change abandoned on nova (stable/kilo)

Change abandoned by Jordan Tardif (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/302387

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.