Bug 1961439 (CVE-2021-3654) - CVE-2021-3654 openstack-nova: novnc allows open redirection
Summary: CVE-2021-3654 openstack-nova: novnc allows open redirection
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3654
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1961446 1961346 1961351 1961445
Blocks: 1960387 1983989
TreeView+ depends on / blocked
 
Reported: 2021-05-17 23:54 UTC by Summer Long
Modified: 2022-03-24 13:44 UTC (History)
16 users (show)

Fixed In Version: nova 21.2.3, nova 22.3.0, nova 23.1.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in CPython which is used by openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.
Clone Of:
Environment:
Last Closed: 2022-03-24 13:44:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0983 0 None None None 2022-03-24 11:03:45 UTC
Red Hat Product Errata RHSA-2022:0999 0 None None None 2022-03-23 22:26:45 UTC

Description Summer Long 2021-05-17 23:54:48 UTC
novnc allows open redirection, which could allow phishing attempts.
Risk: By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts could have a more trustworthy appearance.

https://bugs.launchpad.net/nova/+bug/1927677

Comment 4 Summer Long 2021-05-18 00:15:45 UTC
Created openstack-nova tracking bugs for this issue:

Affects: openstack-rdo [bug 1961446]

Comment 10 Summer Long 2021-11-01 22:38:05 UTC
Initial OSSA now out of date: https://security.openstack.org/ossa/OSSA-2021-002.html
Upstream fixes have been released: 21.2.3, 22.3.0, and 23.1.0
together with two additional stable-train commits: 
* https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66
* https://opendev.org/openstack/nova/commit/8906552cfc2525a44251d4cf313ece61e57251eb

Comment 11 Nick Tait 2022-03-09 21:23:39 UTC
Additional references:
https://bugs.python.org/issue43223
https://github.com/python/cpython/pull/24848

Comment 12 errata-xmlrpc 2022-03-23 22:26:42 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0999 https://access.redhat.com/errata/RHSA-2022:0999

Comment 13 errata-xmlrpc 2022-03-24 11:03:42 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:0983 https://access.redhat.com/errata/RHSA-2022:0983

Comment 14 Product Security DevOps Team 2022-03-24 13:44:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3654


Note You need to log in before you can comment on or make changes to this bug.