Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1190112 - (CVE-2015-0259) CVE-2015-0259 openstack-nova: console Cross-Site WebSocket hijacking
CVE-2015-0259 openstack-nova: console Cross-Site WebSocket hijacking
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150310,repo...
: Security
Depends On: 1200201 1200202 1200203 1200204 1200935 1201046 1202382
Blocks: 1190113 1194087
  Show dependency treegraph
 
Reported: 2015-02-06 06:27 EST by Vasyl Kaigorodov
Modified: 2016-04-27 01:07 EDT (History)
27 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the OpenStack Compute (nova) console websocket did not correctly verify the origin header. An attacker could use this flaw to conduct a cross-site websocket hijack attack. Note that only Compute setups with VNC or SPICE enabled were affected by this flaw.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-06-14 18:45:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
upstream patch cve-2015-0259-stable-juno.patch (5.13 KB, text/plain)
2015-02-09 11:54 EST, Martin Prpič 		no flags Details
upstream patch cve-2015-0259-stable-icehouse.patch (4.98 KB, text/plain)
2015-02-09 11:56 EST, Martin Prpič 		no flags Details
upstream patch cve-2015-0259-master-kilo.patch (6.10 KB, text/plain)
2015-02-09 11:57 EST, Martin Prpič 		no flags Details
cve-2015-0259-master-kilo-v2.patch (12.87 KB, patch)
2015-03-03 19:33 EST, Kurt Seifried 		no flags Details | Diff
cve-2015-0259-stable-juno-v2.patch (10.24 KB, patch)
2015-03-03 19:34 EST, Kurt Seifried 		no flags Details | Diff
cve-2015-0259-stable-icehouse-v2.patch (9.71 KB, patch)
2015-03-03 19:34 EST, Kurt Seifried 		no flags Details | Diff
CVE-2015-0259 Juno Patch (10.25 KB, patch)
2015-03-09 20:45 EDT, Garth Mollett 		no flags Details | Diff
CVE-2015-0259 Icehouse Patch (9.72 KB, patch)
2015-03-09 20:50 EDT, Garth Mollett 		no flags Details | Diff
CVE-2015-0259 Kilo Patch (12.89 KB, patch)
2015-03-09 20:51 EDT, Garth Mollett 		no flags Details | Diff
Show Obsolete (6) Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1409142 None None None Never
OpenStack gerrit 163033 None None None Never
Red Hat Product Errata RHSA-2015:0790 normal SHIPPED_LIVE Important: openstack-nova security, bug fix, and enhancement update 2015-04-07 15:07:41 EDT
Red Hat Product Errata RHSA-2015:0843 normal SHIPPED_LIVE Important: openstack-nova security, bug fix, and enhancement update 2015-04-16 14:27:45 EDT
Red Hat Product Errata RHSA-2015:0844 normal SHIPPED_LIVE Important: openstack-nova security, bug fix, and enhancement update 2015-04-16 14:27:38 EDT

  None (edit)
Description Vasyl Kaigorodov 2015-02-06 06:27:03 EST 
Upstream has reported below issue in OpenStack Nova:

Title: Nova console Cross-Site WebSocket hijacking
Reporter: Brian Manifold (Cisco), Paul McMillan (Nebula)
Products: Nova
Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.2

Description:
Brian Manifold from Cisco and Paul McMillan from Nebula reported a vulnerability in Nova console websocket. By tricking an authenticated user into visiting a malicious URL, a remote attacker or a man in the middle may exploit a cross-site-websocket-hijacking vulnerability resulting in potential hijack of consoles where the user is still logged in. Only Nova setups with vnc or spice enabled are affected.

Acknowlegement:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Brian Manifold of Cisco and Paul McMillan of Nebula as the original reporters.
Comment 1 Martin Prpič 2015-02-09 11:54:25 EST 
Created attachment 989782 [details]
upstream patch cve-2015-0259-stable-juno.patch
Comment 2 Martin Prpič 2015-02-09 11:56:41 EST 
Created attachment 989793 [details]
upstream patch cve-2015-0259-stable-icehouse.patch
Comment 3 Martin Prpič 2015-02-09 11:57:12 EST 
Created attachment 989797 [details]
upstream patch cve-2015-0259-master-kilo.patch
Comment 4 Garth Mollett 2015-02-18 19:15:46 EST 
Please note, the above patches are incomplete and new ones are expected.
Comment 8 Kurt Seifried 2015-03-03 19:31:21 EST 
A new proposed embargoed date has been set as 2015-03-10, 1500UTC, please note that this may change. I have also added the updated patches.
Comment 9 Kurt Seifried 2015-03-03 19:33:40 EST 
Created attachment 997714 [details]
cve-2015-0259-master-kilo-v2.patch
Comment 10 Kurt Seifried 2015-03-03 19:34:12 EST 
Created attachment 997715 [details]
cve-2015-0259-stable-juno-v2.patch
Comment 11 Kurt Seifried 2015-03-03 19:34:34 EST 
Created attachment 997716 [details]
cve-2015-0259-stable-icehouse-v2.patch
Comment 12 Garth Mollett 2015-03-09 20:45:56 EDT 
Created attachment 999698 [details]
CVE-2015-0259 Juno Patch
Comment 13 Garth Mollett 2015-03-09 20:50:29 EDT 
Created attachment 999700 [details]
CVE-2015-0259 Icehouse Patch
Comment 14 Garth Mollett 2015-03-09 20:51:33 EDT 
Created attachment 999702 [details]
CVE-2015-0259 Kilo Patch
Comment 18 Matthew Booth 2015-03-11 10:54:35 EDT 
The embargo is well and truly broken on this, with both a public bug and a public patch posted. If there is any additional inconvenience associated with the embargo process I suggest we drop it.
Comment 19 Martin Prpič 2015-03-11 12:47:29 EDT 
Created openstack-nova tracking bugs for this issue:

Affects: fedora-all [bug 1200935]
Comment 20 Garth Mollett 2015-03-11 18:44:35 EDT 
Current patches, as attached to this bug, break non-browser based clients.
See: https://bugs.launchpad.net/nova/+bug/1409142/comments/133 (which should be public now).
Comment 21 Garth Mollett 2015-03-11 18:45:36 EDT 
Created openstack-nova tracking bugs for this issue:

Affects: openstack-rdo [bug 1201046]
Comment 23 errata-xmlrpc 2015-04-07 11:09:25 EDT 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:0790 https://rhn.redhat.com/errata/RHSA-2015-0790.html
Comment 24 errata-xmlrpc 2015-04-16 10:33:54 EDT 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:0844 https://rhn.redhat.com/errata/RHSA-2015-0844.html
Comment 25 errata-xmlrpc 2015-04-16 10:35:41 EDT 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:0843 https://rhn.redhat.com/errata/RHSA-2015-0843.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.