Comment 47 for bug 1409142

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259)

@Dave I'm not sure NoVNC needs any change... Beside, I don't think NoVNC is a supported project, it does not show up in the official programs list and does not follow the stable releases.

IIUC it is the websocketproxy that lacks the check on the proto, and an out of band solution (e.g. no additional headers) that can reconstruct the 'access_url' would be great! Can you amend this change to the initial patch in order to have a single patch for this issue ?

About the OSSA task, as the CVE have not been disclosed and the new attack exploit the same vulnerability, we may keep the same number with this updated impact description:

Title: Nova console Cross-Site WebSocket hijacking
Reporter: Brian Manifold (Cisco), Paul McMillan (Nebula)
Products: Nova
Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.2

Description:
Brian Manifold from Cisco and Paul McMillan from Nebula reported a vulnerability in Nova console websocket. By tricking an authenticated user into visiting a malicious URL, a remote attacker or a man in the middle may exploit a cross-site-websocket-hijacking vulnerability resulting in potential hijack of consoles where the user is still logged in. Only Nova setups with vnc or spice enabled are affected.