2015-04-23 15:40:44 |
Jeremy Stanley |
bug |
|
|
added bug |
2015-04-23 15:40:58 |
Jeremy Stanley |
bug |
|
|
added subscriber ANNOUR |
2015-04-23 15:43:29 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2015-04-23 15:43:34 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2015-04-23 15:44:18 |
Jeremy Stanley |
bug |
|
|
added subscriber Nova Core security contacts |
2015-04-23 20:44:27 |
Andrew Laski |
bug |
|
|
added subscriber Solly Ross |
2015-05-01 05:38:09 |
Tony Breeds |
attachment added |
|
Introduce a config option to make consoleauth tokens one use only https://bugs.launchpad.net/nova/+bug/1447679/+attachment/4388762/+files/0001-Add-one_time_token-config-option.patch |
|
2015-05-01 05:38:41 |
Tony Breeds |
nova: importance |
Undecided |
Medium |
|
2015-05-01 05:38:41 |
Tony Breeds |
nova: status |
New |
Confirmed |
|
2015-05-11 14:03:43 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Won't Fix |
|
2015-05-11 14:03:52 |
Tristan Cacqueray |
information type |
Private Security |
Public |
|
2015-05-12 00:53:27 |
OpenStack Infra |
nova: status |
Confirmed |
In Progress |
|
2015-05-12 00:53:27 |
OpenStack Infra |
nova: assignee |
|
Tony Breeds (o-tony) |
|
2015-06-04 19:47:42 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
Reported via private E-mail from Anass ANNOUR:
I found that the service No-VNC (port 6080) doesn't require authentication, if you know the URL (ex: http://192.168.198.164:6080/vnc_auto.html?token=3640a3c8-ad10-45da-a523-18d3793ef8ec) you can access the machine from any other computer without any authentication before the token expires. (or in the same time as user still use the console) |
Reported via private E-mail from Anass ANNOUR:
I found that the service No-VNC (port 6080) doesn't require authentication, if you know the URL (ex: http://192.168.198.164:6080/vnc_auto.html?token=3640a3c8-ad10-45da-a523-18d3793ef8ec) you can access the machine from any other computer without any authentication before the token expires. (or in the same time as user still use the console) |
|
2015-06-05 00:52:21 |
Tony Breeds |
tags |
|
security |
|
2015-07-21 19:11:19 |
OpenStack Infra |
nova: assignee |
Tony Breeds (o-tony) |
Michael Still (mikalstill) |
|
2015-08-12 19:36:05 |
Ahmed Rahal |
bug |
|
|
added subscriber Ahmed Rahal |
2015-09-02 07:14:39 |
Takashi Natsume |
bug |
|
|
added subscriber Takashi NATSUME |
2016-03-06 15:09:56 |
Davanum Srinivas (DIMS) |
nova: assignee |
Michael Still (mikalstill) |
|
|
2016-03-06 15:09:59 |
Davanum Srinivas (DIMS) |
nova: status |
In Progress |
Confirmed |
|
2016-06-28 03:37:46 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto Murata |