XSS in noVNC

Bug #1656435 reported by David Wyde on 2017-01-13
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Undecided
Unassigned
OpenStack Security Advisory
Undecided
Unassigned

Bug Description

I recently reported an XSS bug in noVNC, which has since been fixed in 0.6.2: https://github.com/novnc/noVNC/issues/748.

Depending on how OpenStack pulls in the noVNC viewer, it might be worth a security note or release.

Vulnerability Summary:

It's possible to set up a malicious noVNC server, then send someone a
URL like http://GOOD_NOVNC/vnc_auto.html?host=BAD_NOVNC. The good noVNC
will use a WebSocket to connect to the malicious one, then display a
status message that runs JavaScript in the user's browser.

Jeremy Stanley (fungi) wrote :

I've added an invalid OSSA bugtask (indicating that the OpenStack VMT won't issue a formal advisory for this) as it's clearly class C2 in our report taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

I've subscribed the security team reviewers in case they determine they would like to release a security note as you indicate. Due to the fact that the NoVNC vulnerabilities you've linked above are public, it probably makes little sense to work on this report under embargo but I'll let the OSSG CoreSec members make that determination.

Changed in ossa:
status: New → Invalid
Travis McPeak (travis-mcpeak) wrote :

I don't see much of a case for releasing a note about a bad version of a third party component with an update already available.

Jeremy Stanley (fungi) wrote :

In that case, no objections from the OSSN editors for switching this bug to public?

Luke Hinds (lhinds) wrote :

Sounds fine to me, it will help get more authors eyes on it to write a note too.

Luke Hinds (lhinds) wrote :

or rather I echo Travis point, in that patches are already there, so no need for an OSSN.

Jeremy Stanley (fungi) wrote :

Switched to public as discussed. Thanks for the heads up on this one, David!

information type: Private Security → Public
tags: added: security
Gary W. Smith (gary-w-smith) wrote :

It is my understanding, per the above, that this is a bug in a third-party component that has been fixed, so closing the horizon portion of this bug. If this is not the case, then feel free to reopen the bug and clarify.

Changed in horizon:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers