Bug #1398893 “Backport upstream security fix for login page DOS-...” : Series 5.1.x : Bugs : Mirantis OpenStack

Timur Sufiev (tsufiev-x) on 2014-12-03

Changed in mos:
status:	New → In Progress
milestone:	none → 6.0

Dmitry Mescheryakov (dmitrymex) on 2014-12-04

Changed in mos:
status:	In Progress → Fix Committed

Revision history for this message

Mike Scherbakov (mihgen) wrote on 2014-12-05:

#1

Please provide ref to patch

Revision history for this message

Timur Sufiev (tsufiev-x) wrote on 2014-12-05:

#2

Here you are: https://review.fuel-infra.org/#/c/1228/ The fix to django-openstack-auth is applied in the OBS, thus I cannot provide a ref to it.

Revision history for this message

Timur Sufiev (tsufiev-x) wrote on 2014-12-09:

#3

Opening since it's opened in upstream: https://bugs.launchpad.net/horizon/+bug/1394370

information type:

Private Security → Public Security

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-01-19:

#4

RPM package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2.mira9.git.867e12d.c9b0cb2

Changeset: https://review.fuel-infra.org/2115
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
openstack-dashboard-2014.1.3-fuel5.1.2.mira9.git.867e12d.c9b0cb2.noarch.rpm
openstack-dashboard-theme-2014.1.3-fuel5.1.2.mira9.git.867e12d.c9b0cb2.noarch.rpm
python-django-horizon-2014.1.3-fuel5.1.2.mira9.git.867e12d.c9b0cb2.noarch.rpm
python-django-horizon-doc-2014.1.3-fuel5.1.2.mira9.git.867e12d.c9b0cb2.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable-2115/centos

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-01-19:

#5

DEB package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2~mira6+git.867e12d.c9b0cb2

Changeset: https://review.fuel-infra.org/2115
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
openstack-dashboard-ubuntu-theme_2014.1.3-fuel5.1.2~mira6+git.867e12d.c9b0cb2_all.deb
openstack-dashboard_2014.1.3-fuel5.1.2~mira6+git.867e12d.c9b0cb2_all.deb
python-django-horizon_2014.1.3-fuel5.1.2~mira6+git.867e12d.c9b0cb2_all.deb
python-django-openstack_2014.1.3-fuel5.1.2~mira6+git.867e12d.c9b0cb2_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.2-stable-2115/ubuntu

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-01-20:

#6

RPM package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2.mira9.git.a828a43.c9b0cb2

Changeset: https://review.fuel-infra.org/2171
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
openstack-dashboard-2014.1.3-fuel5.1.2.mira9.git.a828a43.c9b0cb2.noarch.rpm
openstack-dashboard-theme-2014.1.3-fuel5.1.2.mira9.git.a828a43.c9b0cb2.noarch.rpm
python-django-horizon-2014.1.3-fuel5.1.2.mira9.git.a828a43.c9b0cb2.noarch.rpm
python-django-horizon-doc-2014.1.3-fuel5.1.2.mira9.git.a828a43.c9b0cb2.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable-2171/centos

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-01-20:

#7

DEB package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2~mira7+git.a828a43.c9b0cb2

Changeset: https://review.fuel-infra.org/2171
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
openstack-dashboard-ubuntu-theme_2014.1.3-fuel5.1.2~mira7+git.a828a43.c9b0cb2_all.deb
openstack-dashboard_2014.1.3-fuel5.1.2~mira7+git.a828a43.c9b0cb2_all.deb
python-django-horizon_2014.1.3-fuel5.1.2~mira7+git.a828a43.c9b0cb2_all.deb
python-django-openstack_2014.1.3-fuel5.1.2~mira7+git.a828a43.c9b0cb2_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.2-stable-2171/ubuntu

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-01-20:

#8

RPM package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2.mira9.git.a8b93e3.c9b0cb2

Changeset: https://review.fuel-infra.org/2171
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
openstack-dashboard-2014.1.3-fuel5.1.2.mira9.git.a8b93e3.c9b0cb2.noarch.rpm
openstack-dashboard-theme-2014.1.3-fuel5.1.2.mira9.git.a8b93e3.c9b0cb2.noarch.rpm
python-django-horizon-2014.1.3-fuel5.1.2.mira9.git.a8b93e3.c9b0cb2.noarch.rpm
python-django-horizon-doc-2014.1.3-fuel5.1.2.mira9.git.a8b93e3.c9b0cb2.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable-2171/centos

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-01-20:

#9

DEB package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2~mira7+git.a8b93e3.c9b0cb2

Changeset: https://review.fuel-infra.org/2171
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
openstack-dashboard-ubuntu-theme_2014.1.3-fuel5.1.2~mira7+git.a8b93e3.c9b0cb2_all.deb
openstack-dashboard_2014.1.3-fuel5.1.2~mira7+git.a8b93e3.c9b0cb2_all.deb
python-django-horizon_2014.1.3-fuel5.1.2~mira7+git.a8b93e3.c9b0cb2_all.deb
python-django-openstack_2014.1.3-fuel5.1.2~mira7+git.a8b93e3.c9b0cb2_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.2-stable-2171/ubuntu

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-01-23:

#10

RPM package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2.mira9.git.ec33d56.c9b0cb2

Changeset: https://review.fuel-infra.org/2171
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
openstack-dashboard-2014.1.3-fuel5.1.2.mira9.git.ec33d56.c9b0cb2.noarch.rpm
openstack-dashboard-theme-2014.1.3-fuel5.1.2.mira9.git.ec33d56.c9b0cb2.noarch.rpm
python-django-horizon-2014.1.3-fuel5.1.2.mira9.git.ec33d56.c9b0cb2.noarch.rpm
python-django-horizon-doc-2014.1.3-fuel5.1.2.mira9.git.ec33d56.c9b0cb2.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable-2171/centos

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-01-23:

#11

DEB package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2~mira7+git.ec33d56.c9b0cb2

Changeset: https://review.fuel-infra.org/2171
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
openstack-dashboard-ubuntu-theme_2014.1.3-fuel5.1.2~mira7+git.ec33d56.c9b0cb2_all.deb
openstack-dashboard_2014.1.3-fuel5.1.2~mira7+git.ec33d56.c9b0cb2_all.deb
python-django-horizon_2014.1.3-fuel5.1.2~mira7+git.ec33d56.c9b0cb2_all.deb
python-django-openstack_2014.1.3-fuel5.1.2~mira7+git.ec33d56.c9b0cb2_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.2-stable-2171/ubuntu

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-01-23:

#12

RPM package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2.mira9

Changeset: https://review.fuel-infra.org/2171
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged

Files placed on repository:
openstack-dashboard-2014.1.3-fuel5.1.2.mira9.noarch.rpm
openstack-dashboard-theme-2014.1.3-fuel5.1.2.mira9.noarch.rpm
python-django-horizon-2014.1.3-fuel5.1.2.mira9.noarch.rpm
python-django-horizon-doc-2014.1.3-fuel5.1.2.mira9.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable/centos

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-01-23:

#13

DEB package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2~mira7

Changeset: https://review.fuel-infra.org/2171
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged

Files placed on repository:
openstack-dashboard-ubuntu-theme_2014.1.3-fuel5.1.2~mira7_all.deb
openstack-dashboard_2014.1.3-fuel5.1.2~mira7_all.deb
python-django-horizon_2014.1.3-fuel5.1.2~mira7_all.deb
python-django-openstack_2014.1.3-fuel5.1.2~mira7_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.2-stable/ubuntu

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-03-31:

#14

RPM package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2.mira10

Changeset: https://review.fuel-infra.org/4800
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Ermolov
committer: Alex Ermolov
subject: Fix web-server memory overrun when downloading objects from Swift
status: change-merged

Files placed on repository:
openstack-dashboard-2014.1.3-fuel5.1.2.mira10.noarch.rpm
openstack-dashboard-theme-2014.1.3-fuel5.1.2.mira10.noarch.rpm
python-django-horizon-2014.1.3-fuel5.1.2.mira10.noarch.rpm
python-django-horizon-doc-2014.1.3-fuel5.1.2.mira10.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable/centos

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-03-31:

#15

DEB package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2~mira8

Changeset: https://review.fuel-infra.org/4800
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Ermolov
committer: Alex Ermolov
subject: Fix web-server memory overrun when downloading objects from Swift
status: change-merged

Files placed on repository:
openstack-dashboard-ubuntu-theme_2014.1.3-fuel5.1.2~mira8_all.deb
openstack-dashboard_2014.1.3-fuel5.1.2~mira8_all.deb
python-django-horizon_2014.1.3-fuel5.1.2~mira8_all.deb
python-django-openstack_2014.1.3-fuel5.1.2~mira8_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.2-stable/ubuntu

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-04-06:

#16

RPM package horizon has been built for project openstack/horizon
Package version == 2014.2, package release == fuel6.0.mira10

Changeset: https://review.fuel-infra.org/5119
project: openstack/horizon
branch: openstack-ci/fuel-6.0-updates/2014.2
author: Alex Ermolov
committer: Alex Ermolov
subject: Fix web-server memory overrun when downloading objects from Swift
status: change-merged

Files placed on repository:
openstack-dashboard-2014.2-fuel6.0.mira10.noarch.rpm
python-django-horizon-2014.2-fuel6.0.mira10.noarch.rpm
python-django-horizon-doc-2014.2-fuel6.0.mira10.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-updates-stable/centos

Revision history for this message

OSCI Robot (oscirobot) wrote on 2015-04-06:

#17

DEB package horizon has been built for project openstack/horizon
Package version == 2014.2, package release == fuel6.0~mira14

Changeset: https://review.fuel-infra.org/5119
project: openstack/horizon
branch: openstack-ci/fuel-6.0-updates/2014.2
author: Alex Ermolov
committer: Alex Ermolov
subject: Fix web-server memory overrun when downloading objects from Swift
status: change-merged

Files placed on repository:
openstack-dashboard-ubuntu-theme_2014.2-fuel6.0~mira14_all.deb
openstack-dashboard_2014.2-fuel6.0~mira14_all.deb
python-django-horizon_2014.2-fuel6.0~mira14_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0-updates-stable/ubuntu

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-06-22: Fix proposed to openstack/horizon (openstack-ci/fuel-7.0/2015.1.0)

#18

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Timur Sufiev <email address hidden>
Review: https://review.fuel-infra.org/8139

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-14: Fix proposed to openstack/horizon (openstack-ci/fuel-5.1.1-updates/2014.1.1)

#19

Fix proposed to branch: openstack-ci/fuel-5.1.1-updates/2014.1.1
Change author: Alex Khivin <email address hidden>
Review: https://review.fuel-infra.org/9341

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-16: Change abandoned on openstack/horizon (openstack-ci/fuel-7.0/2015.1.0)

#20

Change abandoned by Timur Sufiev <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Review: https://review.fuel-infra.org/8139
Reason: Already there since stable/kilo merge.

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-10-19: Fix merged to openstack/horizon (openstack-ci/fuel-5.1.1-updates/2014.1.1)

#21

Reviewed: https://review.fuel-infra.org/9341
Submitter: mos-infra-ci <>
Branch: openstack-ci/fuel-5.1.1-updates/2014.1.1

Commit: 818be36550701873b3882ebf687593cac911aeff
Author: Alexey Khivin <email address hidden>
Date: Tue Jul 14 16:37:48 2015

Horizon login page contains DOS attack mechanism

the horizon login page (really the middleware) accesses the session
too early in the login process, which will create session records
in the session backend. This is especially problematic when non-cookie
backends are used.

After speaking with Eric Peterson in IRC private we agreed that line
`response.delete_cookie('logout_reason')` in
openstack_dashboard/views.py is not related to the sessions issue (and
was just a clean-up).

Change-Id: I0aeb98da8e9a21262f4a602a5ddae4a4315100e7
Closes-Bug: #1398893
Closes-Bug: #1399271
(cherry picked from commit ec33d56d4fd93cc8fda4b7ef4ae259de4806f5f3)

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-11-19:

#22

dash.py Edit (800 bytes, text/x-python)

steps to reproduce:
1. Stop apache

2. Change backend for session(/etc/openstack-dashboard/local_settings.py):
SESSION_ENGINE = 'django.contrib.sessions.backends.db'

DATABASES = {
    'default': {
        # Database configuration here
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'dash',
        'USER': 'dash',
        'PASSWORD': 'DASH_DBPASS',
        'HOST': 'localhost',
        'default-character-set': 'utf8'
    }
}

3. Run command:
/usr/share/openstack-dashboard/manage.py syncdb

4. Start apache

5. Connect to mysql and swith database to dash:
mysql dash

6. Look to records count in table:
select * from django_session;

7. Run attached script :
python <script.py>

6. Look to records count in table again:
select * from django_session;

If count is not changed that bug not reproduced.

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-11-20:

#23

dash.py Edit (970 bytes, text/x-python)

Sorry, colleagues. In previous comment step 3 and script is wrong.
Right step 3:
run commands:
mysql
CREATE DATABASE dash;
GRANT ALL PRIVILEGES ON dash.* TO 'dash'@'%' IDENTIFIED BY 'DASH_DBPASS';
GRANT ALL PRIVILEGES ON dash.* TO 'dash'@'localhost' IDENTIFIED BY 'DASH_DBPASS';
exit;
/usr/share/openstack-dashboard/manage.py syncdb

Right script attached.

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-11-20:

#24

Verified on 5.1.1

Affects		Status	Importance	Assigned to	Milestone
	Mirantis OpenStack	Fix Committed	Critical	Timur Sufiev	Mirantis OpenStack 6.0
	5.1.x	Fix Released	Critical	Alexey Khivin	Mirantis OpenStack 5.1.1-mu-2

Mirantis OpenStack

Backport upstream security fix for login page DOS-attack vulnerability (CVE-2014-8124)

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches