XSS in noVNC

Bug #1656435 reported by David Wyde
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Invalid
Undecided
Unassigned
OpenStack Security Advisory
Invalid
Undecided
Unassigned

Bug Description

I recently reported an XSS bug in noVNC, which has since been fixed in 0.6.2: https://github.com/novnc/noVNC/issues/748.

Depending on how OpenStack pulls in the noVNC viewer, it might be worth a security note or release.

Vulnerability Summary:

It's possible to set up a malicious noVNC server, then send someone a
URL like http://GOOD_NOVNC/vnc_auto.html?host=BAD_NOVNC. The good noVNC
will use a WebSocket to connect to the malicious one, then display a
status message that runs JavaScript in the user's browser.

Tags: security
Revision history for this message
Jeremy Stanley (fungi) wrote :

I've added an invalid OSSA bugtask (indicating that the OpenStack VMT won't issue a formal advisory for this) as it's clearly class C2 in our report taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

I've subscribed the security team reviewers in case they determine they would like to release a security note as you indicate. Due to the fact that the NoVNC vulnerabilities you've linked above are public, it probably makes little sense to work on this report under embargo but I'll let the OSSG CoreSec members make that determination.

Changed in ossa:
status: New → Invalid
Revision history for this message
Travis McPeak (travis-mcpeak) wrote :

I don't see much of a case for releasing a note about a bad version of a third party component with an update already available.

Revision history for this message
Jeremy Stanley (fungi) wrote :

In that case, no objections from the OSSN editors for switching this bug to public?

Revision history for this message
Luke Hinds (lhinds) wrote :

Sounds fine to me, it will help get more authors eyes on it to write a note too.

Revision history for this message
Luke Hinds (lhinds) wrote :

or rather I echo Travis point, in that patches are already there, so no need for an OSSN.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Switched to public as discussed. Thanks for the heads up on this one, David!

information type: Private Security → Public
tags: added: security
Revision history for this message
Gary W. Smith (gary-w-smith) wrote :

It is my understanding, per the above, that this is a bug in a third-party component that has been fixed, so closing the horizon portion of this bug. If this is not the case, then feel free to reopen the bug and clarify.

Changed in horizon:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.