Backport the fix for Horizon CVE-2016-4428 vulnerability (OSSA-2016-010)

Bug #1590372 reported by Timur Sufiev on 2016-06-08
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Critical
Timur Sufiev
7.0.x
Critical
Denis Meltsaykin
8.0.x
Critical
Alex Ermolov
9.x
Critical
Timur Sufiev

Bug Description

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: XSS in Horizon client side template
Reporter: Beth Lancaster and Brandon Sawyers (Virginia Tech)
Products: Horizon
Affects: <=8.0.1, >=9.0.0 <=9.0.1

Description:
Beth Lancaster and Brandon Sawyers from Virginia Tech reported a
vulnerability in Horizon. By injecting Angularjs template in dashboard
forms, such as image's description, an authenticated user may trigger a
cross-site-scripting vulnerability when another user browses the
affected pages. It may result in potential assets theft like user access
credentials. All Horizon setups are affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/liberty, stable/mitaka and master/newton on the
public disclosure date.

CVE: CVE-2016-4428

Proposed public disclosure date/time:
2016-06-15, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.

CVE References

Timur Sufiev (tsufiev-x) on 2016-06-08
tags: added: area-horizon
Changed in mos:
assignee: nobody → Timur Sufiev (tsufiev-x)
Timur Sufiev (tsufiev-x) wrote :

The patch being backported to 9.0/mitaka branch is here: https://review.fuel-infra.org/#/c/21818/

Dina Belova (dbelova) wrote :
tags: added: feature-security
tags: added: on-verification
Sergei Chipiga (schipiga) wrote :

Checked with mos9.0#495 RC2.
Patched escape func is present in settings after deploy.
Testing escaping with volume description, image description, user description.
Fixed.

information type: Private Security → Public Security

Fix proposed to branch: 11.0/ocata
Change author: Timur Sufiev <email address hidden>
Review: https://review.fuel-infra.org/34194

Fix proposed to branch: mcp/newton
Change author: Timur Sufiev <email address hidden>
Review: https://review.fuel-infra.org/34229

Fix proposed to branch: mcp/ocata
Change author: Timur Sufiev <email address hidden>
Review: https://review.fuel-infra.org/34874

Change abandoned by Ihor Kalnytskyi <email address hidden> on branch: 11.0/ocata
Review: https://review.fuel-infra.org/34194
Reason: 11.0/ocata is obsolete. We use mcp/ocata instead.

Change abandoned by Ivan Kolodyazhny <email address hidden> on branch: mcp/ocata
Review: https://review.fuel-infra.org/34874
Reason: Already merged

Change abandoned by Michael Dovgal <email address hidden> on branch: mcp/newton
Review: https://review.fuel-infra.org/34229
Reason: already merged

summary: - Backport the fix for Horizon CVE-2016-4428 vulnerability
+ Backport the fix for Horizon CVE-2016-4428 vulnerability (OSSA-2016-010)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers