OpenStack Dashboard (Horizon)

Heat template network discovery

Bug #2032682 reported by John Herdman
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
New
Undecided
Unassigned
OpenStack Heat
New
Undecided
Unassigned
OpenStack Security Advisory
Incomplete
Undecided
Unassigned

Bug Description

While this issue appears fixed for any localhost calls (https://bugs.launchpad.net/ossa/+bug/1606500), Horizon/Heat still returns additional information when an IP is provided. For instance, when using http://x.x.x.x:22, if the IP is reachable, the SSH banner is returned. This works for any IP:port combination beyond localhost.

It appears as though it should only return "Template format version not found". This occurs when using the URL source, as well as when using direct input and providing the source in the user_data / get_file format.

CVE References

Revision history for this message
Jeremy Stanley (fungi) wrote (last edit ):

Sorry, since this was opened as a normal bug it went unnoticed by the VMT. I've now switched it to be a security bug for better tracking, which will hopefully encourage it to be addressed more quickly. Also, to be clear, Heat uses https://storyboard.openstack.org/#!/project/openstack/heat for defect tracking, according to its project page on LP. I've opened https://storyboard.openstack.org/#!/story/2011001 now to bring it to their attention.

Changed in ossa:
status: New → Incomplete
information type: Public → Public Security
Revision history for this message
Zane Bitter (zaneb) wrote :

There's not enough info here to determine whether there is a problem in Heat. The fix from bug 1606500 is still in place and no information from the exception is returned to the user, so it can't be the same issue: https://opendev.org/openstack/heat/src/branch/master/heat/common/urlfetch.py#L83

Where/how did you pass the URL? What is the error message you are seeing?

Revision history for this message
John Herdman (jherdman) wrote :

Thank you both, if I pass http://x.x.x.x:22 and x.x.x.x is a reachable IP, I see the SSH banner, as shown in the attached example.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.