Nova console Cross-Site WebSocket hijacking
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
High
|
Roman Podoliaka | ||
5.0.x |
Won't Fix
|
Critical
|
Denis Meltsaykin | ||
5.1.x |
Fix Released
|
Critical
|
Denis Meltsaykin | ||
6.0.x |
Fix Released
|
Critical
|
Denis Meltsaykin | ||
6.1.x |
Fix Released
|
High
|
Roman Podoliaka |
Bug Description
This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.
Title: Nova console Cross-Site WebSocket hijacking
Reporter: Brian Manifold (Cisco)
Products: Nova
Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.2
Description:
Brian Manifold from Cisco reported a vulnerability in Nova console websocket.
By tricking an authenticated user into clicking a malicious URL, a remote
attacker may trigger a cross-site-
in potential hijack of consoles where the user is still logged in. Only Nova
setups with vnc or spice enabled are affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/icehouse, stable/juno and master on the public
disclosure date.
CVE: CVE-2015-0259
Proposed public disclosure date/time:
2015-02-12, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.
CVE References
no longer affects: | mos/7.0.x |
Changed in mos: | |
status: | Fix Committed → Fix Released |
tags: | added: feature-security |
Waiting for the vulnerability to be disclosed and the fix to be merged to stable/juno