Bug 1961439 (CVE-2021-3654)

Summary: CVE-2021-3654 openstack-nova: novnc allows open redirection
Product: [Other] Security Response Reporter: Summer Long <slong>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dasmith, eglynn, jhakimra, jjoyce, jschluet, kchamart, lhh, lpeer, mburns, nova-maint, sbauza, sclewis, seunlee, sgordon, slinaber, vromanso
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nova 21.2.3, nova 22.3.0, nova 23.1.0 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in CPython which is used by openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-24 13:44:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1961346, 1961351, 1961445, 1961446    
Bug Blocks: 1960387, 1983989    

Description Summer Long 2021-05-17 23:54:48 UTC 
novnc allows open redirection, which could allow phishing attempts.
Risk: By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts could have a more trustworthy appearance.

https://bugs.launchpad.net/nova/+bug/1927677
Comment 4 Summer Long 2021-05-18 00:15:45 UTC 
Created openstack-nova tracking bugs for this issue:

Affects: openstack-rdo [bug 1961446]
Comment 10 Summer Long 2021-11-01 22:38:05 UTC 
Initial OSSA now out of date: https://security.openstack.org/ossa/OSSA-2021-002.html
Upstream fixes have been released: 21.2.3, 22.3.0, and 23.1.0
together with two additional stable-train commits: 
* https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66
* https://opendev.org/openstack/nova/commit/8906552cfc2525a44251d4cf313ece61e57251eb
Comment 11 Nick Tait 2022-03-09 21:23:39 UTC 
Additional references:
https://bugs.python.org/issue43223
https://github.com/python/cpython/pull/24848
Comment 12 errata-xmlrpc 2022-03-23 22:26:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0999 https://access.redhat.com/errata/RHSA-2022:0999
Comment 13 errata-xmlrpc 2022-03-24 11:03:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:0983 https://access.redhat.com/errata/RHSA-2022:0983
Comment 14 Product Security DevOps Team 2022-03-24 13:44:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3654