Bug 2075681 (CVE-2022-1655) - CVE-2022-1655 OpenStack: Horizon session cookies are not flagged HttpOnly
Summary: CVE-2022-1655 OpenStack: Horizon session cookies are not flagged HttpOnly
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-1655
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2083840
Blocks: 2075679
TreeView+ depends on / blocked
 
Reported: 2022-04-14 21:25 UTC by Sage McTaggart
Modified: 2022-12-09 22:13 UTC (History)
8 users (show)

Fixed In Version: OpenStack 16.2
Doc Type: If docs needed, set a value
Doc Text:
An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2022-12-09 22:13:58 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8856 0 None None None 2022-12-07 19:25:56 UTC

Description Sage McTaggart 2022-04-14 21:25:38 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=2075518

Description of problem:

- An internal security audit discovered that Horizon session cookies are being created without the HttpOnly flag even though we set HorizonSecureCookies to true in our environment files.

- According to the KCS article at https://access.redhat.com/solutions/4764241 the relevant Django flag should be set manually in the dashboard configuration file.


Version-Release number of selected component (if applicable):

- Red Hat OpenStack 16.2.1 (Z1)


Actual results:

- From the Customer point of view, the workaround described in KCS 4764241 is unacceptable because those modifications would get lost every time the overcloud configuration is updated by TripleO and it would require a manual intervention on all controllers followed by a restart of the dashboard.


Expected results:

- The customer expectation is a fix (set of HttpOnly via Tripleo) of this problem in a next Z stream of OSP 16.2


Additional info:

- OpenStack recommendations on Cookies, related to the OpenStack O&M Dashboard (Horizon GUI), are available at: https://docs.openstack.org/security-guide/dashboard/cookies.html

- In term of common consequences, connected to the missing HttpOnly flag in the Cookies related to the O&M OpenStack Dashboard (Horizon GUI), these could identified in these two areas [1][2]

[1] Confidentiality impact:               
If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.

[2] Integrity impact:
If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., JWT and refresh token are written back to the browser in HTTP cookies. HttpOnly prevents JavaScript from accessing them, making them less vulnerable to theft. ) and assume the identity of the user.
Comment 2 errata-xmlrpc 2022-12-07 19:25:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:8856 https://access.redhat.com/errata/RHSA-2022:8856
Comment 3 Product Security DevOps Team 2022-12-09 22:13:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1655
Note You need to log in before you can comment on or make changes to this bug.