Bug 1410773
Summary: | nova metadata exposure | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Nilesh <nchandek> |
Component: | openstack-nova | Assignee: | Eoghan Glynn <eglynn> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Prasanth Anbalagan <panbalag> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 9.0 (Mitaka) | CC: | awaugama, berrange, dasmith, eglynn, kchamart, nchandek, rcritten, sbauza, sferdjao, sgordon, srevivo, vromanso |
Target Milestone: | --- | Flags: | nchandek:
automate_bug?
nchandek: internal-review? |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-23 20:35:34 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Nilesh
2017-01-06 12:41:44 UTC
Upstream bug is already open for this issue. https://bugs.launchpad.net/nova/+bug/1563954/ I have discussed this with the security folks internal to Red Hat and also on the upstream mailing list [1]. It was discussed in the bug by not explicitly called out in OSSN-0074 but this issue only presents if Nova's use_forwarded_for configuration variable is set to True. Both Nova and the TripleO tooling we use to deploy it default this variable to False, thus unless the customer explicitly overrides this for their installation and sets use_forwarded_for to True they will be unaffected by this issue. If they do set this value to True, then they are telling Nova to rely on X-Forwarded-For so that they can put a proxy in front of it. As part of configuring such a proxy they will need to ensure their network is design correctly such that untrusted systems can not connect directly to the service without going through the proxy, and also ensure their proxy correctly rewrites any existing X-Forwarded-For headers it may receive rather than passing them through untouched As the out of the box configuration we provide is not impacted I am closing this as CLOSED CURRENTRELEASE. They are of course welcome to try the reproducer listed in the OSSN [2] and verify for themselves. [1] http://lists.openstack.org/pipermail/openstack-dev/2017-January/110500.html [2] https://wiki.openstack.org/wiki/OSSN/OSSN-0074 Thank you Stephen Gordon for speeding this up. |