OpenStack + Chef

The web server allows the HTTP TRACE or TRACK methods.

Bug #1319319 reported by Zhang Yun on 2014-05-14

262

This bug affects 2 people

	Status	Importance	Assigned to
OpenStack + Chef	Fix Released	Low	Mark Vanderwiel
OpenStack Dashboard (Horizon)	Invalid	Undecided	Unassigned
OpenStack Security Advisory	Invalid	Undecided	Unassigned

Bug Description

The Horizon affected by it. This is related to configuration of "RewriteCond" in sites-enabled/openstack-dashboard, covered by stackforge/cookbook-openstack-dashboard project.

Tags:

Zhang Yun (zhangyun) on 2014-05-14

information type:

Private Security → Public Security

Tristan Cacqueray (tristan-cacqueray) on 2014-05-14

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-05-16:

The advisory task is incomplete pending additional details from security reviewers (horizon-coresec).

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-05-22:

Hmm, this seems to be a Horizon packaging/deployment issue (if it is an issue at all). Since we don't cover stackforge/cookbook-openstack-dashboard from a security perspective, I don't see the need for an OSSA advisory here. Shouldn't this bug be reported against the cookbook maintainers instead ?

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-05-26:

That would be an issue in the cookbook.

Changed in ossa:
status:	Incomplete → Invalid
Changed in horizon:
status:	New → Invalid

Revision history for this message

Mark Vanderwiel (vanderwl) wrote on 2014-06-03:

What is the bug here? Here's the RewriteCond logic: https://github.com/stackforge/cookbook-openstack-dashboard/blob/master/templates/default/dash-site.erb#L13

Please provide more information about what needs to be changed.

Changed in openstack-chef:
status:	New → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-08-03:

[Expired for OpenStack + Chef because there has been no activity for 60 days.]

Changed in openstack-chef:
status:	Incomplete → Expired

Revision history for this message

Zhang Yun (zhangyun) wrote on 2014-09-16:

Hi Mark, could we disable HTTP TRACE support in our web server to avoid this security issue?

Changed in openstack-chef:
status:	Expired → New

Revision history for this message

Mark Vanderwiel (vanderwl) wrote on 2014-09-16:

yes, I believe we can easily disable this using the apache cookbook attribute default['apache']['traceenable'] = 'Off'

This can be done in your own environment file or we could add it to the repo env examples or we would consider changing it in the dashboard server recipe. Since it's quite specific to apache, my gut thinks this should not be part of the dashboard cookbook.
Opinions?

Changed in openstack-chef:
status:	New → Confirmed

Revision history for this message

Mark Vanderwiel (vanderwl) wrote on 2014-09-16:

Or do we need to change the dashboard dash-site template from

RewriteCond %{HTTPS} off

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

According to this post: http://www.techstacks.com/howto/disable-tracetrack-in-apache-httpd.html

Revision history for this message

Zhang Yun (zhangyun) wrote on 2014-09-17:

Hi Mark, seems like the #8 is a good solution, what is your opinion?

Revision history for this message

Mark Vanderwiel (vanderwl) wrote on 2014-09-18:

#10

Yes, #8 seems like a good approach.

Mark Vanderwiel (vanderwl) on 2014-10-22

Changed in openstack-chef:
assignee:	nobody → Mark Vanderwiel (vanderwl)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-22: Fix proposed to cookbook-openstack-dashboard (master)

#11

Fix proposed to branch: master
Review: https://review.openstack.org/130290

Changed in openstack-chef:
status:	Confirmed → In Progress

Mark Vanderwiel (vanderwl) on 2014-10-27

tags:

added: dashboard

Mark Vanderwiel (vanderwl) on 2014-10-30

Changed in openstack-chef:
importance:	Undecided → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-31: Fix merged to cookbook-openstack-dashboard (master)

#12

Reviewed: https://review.openstack.org/130290
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-dashboard/commit/?id=e3b14df8a2416734fb08f34cd10645c2a39dd364
Submitter: Jenkins
Branch: master

commit e3b14df8a2416734fb08f34cd10645c2a39dd364
Author: Mark Vanderwiel <email address hidden>
Date: Wed Oct 22 12:45:06 2014 -0500

Allow TraceEnable to be configurable

Change-Id: I4e6c486b9af8f72080c5d47310615f7f9fef744b
Closes-Bug: #1319319

Changed in openstack-chef:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-25: Fix included in openstack/cookbook-openstack-dashboard ocata-eol

#13

This issue was fixed in the openstack/cookbook-openstack-dashboard ocata-eol release.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.