Bug 1129774 (CVE-2014-3594)

Summary: CVE-2014-3594 openstack-horizon: persistent XSS in Horizon Host Aggregates interface
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chazlett, chrisw, dallan, gkotton, gmollett, itamar, jose.castro.leon, jpichon, jrusnack, lhh, lpeer, markmc, mmcallis, mrunge, nsantos, p, rbryant, sclewis, security-response-team, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A persistent cross-site scripting (XSS) flaw was found in the horizon host aggregate interface. A user with sufficient privileges to add a host aggregate could potentially use this flaw to capture the credentials of another user.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-30 19:47:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1131805, 1131806, 1131807, 1131816, 1131817, 1131818    
Bug Blocks: 1116095, 1129776    
Attachments:
Description Flags
CVE-2014-3594 patch for stable/havana
none
CVE-2014-3594 patch for stable/icehouse
none
CVE-2014-3594 patch for master/juno none

Description Vincent Danen 2014-08-13 15:44:11 UTC 
Title: Persistent XSS in Horizon Host Aggregates interface
Reporters: Dennis Felsch and Mario Heiderich (Ruhr-University Bochum)
Products: Horizon
Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.2

Description:
Dennis Felsch and Mario Heiderich from the Horst Görtz Institute for
IT-Security, Ruhr-University Bochum reported a persistent XSS in Horizon. A
malicious administrator may conduct a persistent XSS attack by registering
a malicious host aggregate in Horizon Host Aggregate interface. Once
executed in a legitimate context this attack may reveal another admin
token, potentially resulting in a lateral privilege escalation. All Horizon
setups are affected.


Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Dennis Felsch and Mario Heiderich from the Horst Görtz Institute for IT-Security, Ruhr-University Bochum as the original reporters.
Comment 2 Vincent Danen 2014-08-13 18:55:34 UTC 
Created attachment 926551 [details]
CVE-2014-3594 patch for stable/havana
Comment 3 Vincent Danen 2014-08-13 18:55:58 UTC 
Created attachment 926552 [details]
CVE-2014-3594 patch for stable/icehouse
Comment 4 Vincent Danen 2014-08-13 18:56:24 UTC 
Created attachment 926553 [details]
CVE-2014-3594 patch for master/juno
Comment 5 Murray McAllister 2014-08-20 06:17:18 UTC 
This issue is public now:

http://seclists.org/oss-sec/2014/q3/413
Comment 7 Murray McAllister 2014-08-20 06:20:25 UTC 
Created python-django-horizon tracking bugs for this issue:

Affects: fedora-all [bug 1131805]
Affects: epel-6 [bug 1131806]
Comment 9 Martin Prpič 2014-08-25 08:32:21 UTC 
IssueDescription:

A persistent cross-site scripting (XSS) flaw was found in the horizon host aggregate interface. A user with sufficient privileges to add a host aggregate could potentially use this flaw to capture the credentials of another user.
Comment 12 errata-xmlrpc 2014-09-15 05:52:39 UTC 
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:1188 https://rhn.redhat.com/errata/RHSA-2014-1188.html
Comment 13 errata-xmlrpc 2014-09-30 17:18:49 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2014:1335 https://rhn.redhat.com/errata/RHSA-2014-1335.html
Comment 14 errata-xmlrpc 2014-09-30 18:01:35 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2014:1336 https://rhn.redhat.com/errata/RHSA-2014-1336.html