Your message dated Fri, 13 Mar 2015 00:33:59 +0000
with message-id <e1ywdy7-0001bx...@franck.debian.org>
and subject line Bug#780250: fixed in nova 2014.1.3-11
has caused the Debian Bug report #780250,
regarding CVE-2015-0259: Websocket Hijacking Vulnerability in Nova VNC Server
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
780250: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780250
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nova
Version: 2014.1.3-10
Severity: grave
Tags: security patch
Maintainer's message: below is the disclosed vulnerability for the Nova
VNC session highjack. I'm preparing an update right now.
Brian Manifold (bmani...@cisco.com) from Cisco has discovered a
vulnerability in the Nova VNC server implementation. We have a patch for
this vulnerability and consider this a very high risk.
Issue Details:
Horizon uses a VNC client which uses websockets to pass information. The
Nova VNC server does not validate the origin of the websocket request,
which allows an attacker to make a websocket request from another domain.
If the victim opens both an attacker's site and the VNC console
simultaneously, or if the victim has recently been using the VNC console
and then visits the attacker's site, the attacker can make a websocket
request to the Horizon domain and proxy the connection to another
destination.
This gives the attacker full read-write access to the VNC console of any
instance recently accessed by the victim.
Recommendation:
Verify the origin field in request header on all websocket requests.
Threat:
CWE-345
* Insufficient Verification of Data Authenticity -- The software does not
sufficiently verify the origin or authenticity of data, in a way that
causes it to accept invalid data.
CWE-346
* Origin Validation Error -- The software does not properly verify that
the source of data or communication is valid.
CWE-441
* Unintended Proxy or Intermediary ('Confused Deputy') -- The software
receives a request, message, or directive from an upstream component, but
the software does not sufficiently preserve the original source of the
request before forwarding the request to an external actor that is outside
of the software's control sphere. This causes the software to appear to be
the source of the request, leading it to act as a proxy or other
intermediary between the upstream component and the external actor.
Steps to reproduce:
1. Login to horizon
2. Pick an instance, go to console/vnc tab, wait for console to be loaded
3. In another browser tab or window, load a VNC console script from local
disk or remote site
4. Point the newly loaded VNC console to the VNC server and a connection
is made
Result:
The original connection has been been hijacked by the second connection
Root cause:
Cross-Site WebSocket Hijacking is concept that has been written about in
various security blogs.
One of the recommended countermeasures is to check the Origin header of
the WebSocket handshake request.
Fix proposed to branch: master
Review: https://review.openstack.org/163033
Fix proposed to branch: stable/juno
Review: https://review.openstack.org/163034
Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/163035
--- End Message ---
--- Begin Message ---
Source: nova
Source-Version: 2014.1.3-11
We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated nova package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 11 Mar 2015 09:19:42 +0100
Source: nova
Binary: python-nova nova-common nova-compute nova-compute-lxc nova-compute-uml
nova-compute-qemu nova-compute-kvm nova-conductor nova-cert nova-scheduler
nova-volume nova-api nova-network nova-console nova-consoleauth nova-doc
nova-cells nova-baremetal nova-consoleproxy
Architecture: source all
Version: 2014.1.3-11
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
nova-api - OpenStack Compute - compute API frontend
nova-baremetal - Openstack Compute - baremetal virt
nova-cells - Openstack Compute - cells
nova-cert - OpenStack Compute - certificate manager
nova-common - OpenStack Compute - common files
nova-compute - OpenStack Compute - compute node
nova-compute-kvm - OpenStack Compute - compute node (KVM)
nova-compute-lxc - OpenStack Compute - compute node (LXC)
nova-compute-qemu - OpenStack Compute - compute node (QEmu)
nova-compute-uml - OpenStack Compute - compute node (UserModeLinux)
nova-conductor - OpenStack Compute - conductor service
nova-console - OpenStack Compute - console
nova-consoleauth - OpenStack Compute - Console Authenticator
nova-consoleproxy - OpenStack Compute - NoVNC proxy
nova-doc - OpenStack Compute - documentation
nova-network - OpenStack Compute - network manager
nova-scheduler - OpenStack Compute - virtual machine scheduler
nova-volume - OpenStack Compute - storage metapackage
python-nova - OpenStack Compute - libraries
Closes: 780250
Changes:
nova (2014.1.3-11) unstable; urgency=high
.
* CVE-2015-0259: Websocket Hijacking Vulnerability in Nova VNC Server. Done
a rebase of upstream patch, so that it can be applied on top of the
websockify 0.6 support patch. The resulting patch is a mix of the Icehouse
and Juno patch. (Closes: #780250).
Checksums-Sha1:
1baa7e7c17cd8d84114e9bf8ece302ea958cf569 4621 nova_2014.1.3-11.dsc
4233e7274130f025b06cdafbe8997ca0573f8309 219684 nova_2014.1.3-11.debian.tar.xz
db2e7b67f50fd051e14168f993e2805153e7e228 1766766
python-nova_2014.1.3-11_all.deb
3f724d939ea695ef1235cd5af10c03ff98b51792 77472 nova-common_2014.1.3-11_all.deb
6126dca86305b67edf7997dc5200cefba0b781f6 23142 nova-compute_2014.1.3-11_all.deb
e457f1e7cef0320550d7d171f0d95e8d9e7a6f20 17322
nova-compute-lxc_2014.1.3-11_all.deb
2e223bf1adedf59268bd1eab3f0ab1a010c8986c 17340
nova-compute-uml_2014.1.3-11_all.deb
1cb5b511122724f183ba8d84f75985bf6fa0b0f6 17328
nova-compute-qemu_2014.1.3-11_all.deb
04197c8333f0ec1b8e4a14d50f062e6bb3ce63ad 17438
nova-compute-kvm_2014.1.3-11_all.deb
fb51f7322da1b5d9fb1669c006c893d9d1271f92 20780
nova-conductor_2014.1.3-11_all.deb
a0d7af7d896fb564d88c937b8f0e0f62216c5e14 20878 nova-cert_2014.1.3-11_all.deb
7eeb18d8f66b9f3828915eb4a314d2cdec0f4137 21756
nova-scheduler_2014.1.3-11_all.deb
76d859037e9bc6b0fc8e912d116468fe26335444 16974 nova-volume_2014.1.3-11_all.deb
3e26f2a23886ddaa363316d7b0ebeeaf58abb055 38606 nova-api_2014.1.3-11_all.deb
d2fea6c7e6c38acabf103b988c0ec4be4023a512 22848 nova-network_2014.1.3-11_all.deb
b41c933be6d57808467d3349de6f3c40d8bdcbdc 20882 nova-console_2014.1.3-11_all.deb
91fd6dce65092db0f27ee9c432aaa2130e01127d 20848
nova-consoleauth_2014.1.3-11_all.deb
f41909d8b718f5677d9be2caf3ab1bd9b8e46466 1045224 nova-doc_2014.1.3-11_all.deb
0eb55522e51ef3cc81401b11b45e0d54922889a3 19906 nova-cells_2014.1.3-11_all.deb
67fa59fa16ee1a65b91d5384ff83e27310e151d1 20246
nova-baremetal_2014.1.3-11_all.deb
4a12de06431ebbc735cc9669a080232ef6004b9b 25468
nova-consoleproxy_2014.1.3-11_all.deb
Checksums-Sha256:
ba104dd13501b8be40dc099c79dae43dfe0b3a25dd0fb0cd6a29b8ec64b0c742 4621
nova_2014.1.3-11.dsc
c11fd02f7c1452a16d4c11641feaeddf4830fa30af7b13657d75f5f31d4f8048 219684
nova_2014.1.3-11.debian.tar.xz
9369d3d13b5588b5e90dee0f132fa1812021fa1d47793918c4da433a3b107fce 1766766
python-nova_2014.1.3-11_all.deb
95372c17e4f1c3e43b3d3483f385d541326e5aba2bc3d27786d39dfc0fae4b33 77472
nova-common_2014.1.3-11_all.deb
12866af200d69828ec4670cc59ae6d298117cfc7b1c5d3084c48d4dd86126efd 23142
nova-compute_2014.1.3-11_all.deb
85ce9357899be04e7dedb24f362ab97bc4eb1522098da1d7b3a4a0cfc7888c5e 17322
nova-compute-lxc_2014.1.3-11_all.deb
5c854ed6f5152627ae7db0788e691d205ebf4121f92c38017527669767ab3387 17340
nova-compute-uml_2014.1.3-11_all.deb
18a6ed0545f0ffec5525c7808859263faf6145ba3e6b8808b0e14d4535bc5323 17328
nova-compute-qemu_2014.1.3-11_all.deb
1823f9e82399320ec3f1ba2dd8c6cc19e94dd888ca26de69901b249d9a743d20 17438
nova-compute-kvm_2014.1.3-11_all.deb
8e96fc600b7e57416f9ac4e2d5799f8daa01d773b1c81ec10c3bfeffdea51ebb 20780
nova-conductor_2014.1.3-11_all.deb
711f8a952c8a37778f79fd09665c4dfd55af766d9ad398b78e1461052371d4b3 20878
nova-cert_2014.1.3-11_all.deb
becdf6f064a781cf791ddd2b2c7acfa4ead54c8378808e24a9ef44481e622da8 21756
nova-scheduler_2014.1.3-11_all.deb
1ee4a26a0fe3b0183c2452ac8629667dd99389c67b5a96a75d8f93c936c7ec00 16974
nova-volume_2014.1.3-11_all.deb
ca8145f051e8c8de291868c7e3b3f0da5c8318d49984b5f128c69cd7248a6199 38606
nova-api_2014.1.3-11_all.deb
c400e084cbd78dbb15c41e5a09dae6b42dc9644af69d64ad588af929d6390910 22848
nova-network_2014.1.3-11_all.deb
12f535ea40898495eb721765d0b13044d69ff2185e49025ef66c5dcb921bd778 20882
nova-console_2014.1.3-11_all.deb
82e8967c280d11650509a717ec1bdce06c3665dfccb4242ef6b40d1d265deb3e 20848
nova-consoleauth_2014.1.3-11_all.deb
42210c1fbfceb528d6db5465536edba4591cbc512278fd84262aec5ba1cc4624 1045224
nova-doc_2014.1.3-11_all.deb
cd8d71e75f1650e88444081f80da040ef4dde54003c8bafe4d891b23095f2c51 19906
nova-cells_2014.1.3-11_all.deb
546a315656479674710ddf86f13ba1cc132f1b196ed5da30034cf06550736e87 20246
nova-baremetal_2014.1.3-11_all.deb
933a1606a8c8bf21eeb5e5314a173a8129403b6bb07465f902e0add940bd7ad9 25468
nova-consoleproxy_2014.1.3-11_all.deb
Files:
7729df499646d2addee80ee8da87f276 4621 net extra nova_2014.1.3-11.dsc
06fec62d40443d5a757a5a199f4845d9 219684 net extra
nova_2014.1.3-11.debian.tar.xz
81ecea8d3d55d22ed1a9d73aed0f0b2a 1766766 python extra
python-nova_2014.1.3-11_all.deb
fe2406ee701612a8fb6ac1778c205221 77472 net extra
nova-common_2014.1.3-11_all.deb
575e2d4196bc09bfd7358c644ef2f0b9 23142 net extra
nova-compute_2014.1.3-11_all.deb
ef676f9594ddc7b31dde28f8c1bfac36 17322 net extra
nova-compute-lxc_2014.1.3-11_all.deb
828a307d8610341fab913f135c69ce8c 17340 net extra
nova-compute-uml_2014.1.3-11_all.deb
af51c38af27a777d86ace1532c265899 17328 net extra
nova-compute-qemu_2014.1.3-11_all.deb
f9f7e33ce47c5d4238e694127498dcee 17438 net extra
nova-compute-kvm_2014.1.3-11_all.deb
814d17d7837a2b2804db8ba396b983f4 20780 net extra
nova-conductor_2014.1.3-11_all.deb
c0164182180ae43cc811dad97372cca4 20878 net extra nova-cert_2014.1.3-11_all.deb
ad2eeb1718904a1144ee3bd5e765aef1 21756 net extra
nova-scheduler_2014.1.3-11_all.deb
abb806fc5d15ac6eb08fbe4ced428997 16974 oldlibs extra
nova-volume_2014.1.3-11_all.deb
867bed5cc56437ce8709976b2e02384e 38606 net extra nova-api_2014.1.3-11_all.deb
322b98b46b2b2333c44be82eadd0875e 22848 net extra
nova-network_2014.1.3-11_all.deb
9050352fd1e5c45d30dd1511927fb62f 20882 net extra
nova-console_2014.1.3-11_all.deb
c1bdfcefc9c743f5a56f05fc31935a89 20848 net extra
nova-consoleauth_2014.1.3-11_all.deb
a1958276254daceed7cc57ad6242557e 1045224 doc extra nova-doc_2014.1.3-11_all.deb
864d000db3bcecc13a5224710d1dba9b 19906 net extra nova-cells_2014.1.3-11_all.deb
c1fdc9a2f36e54a6ac0a11fa00e133af 20246 net extra
nova-baremetal_2014.1.3-11_all.deb
d3493029ce90fb9e77e5f082c144184c 25468 net extra
nova-consoleproxy_2014.1.3-11_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVAi2wAAoJENQWrRWsa0P+/qIP/2T54B/p1A7/n/pMsNf4g/fQ
FnpOWGXb0NkhfzkIRzNTQIke3rjCh6/fxRHf9f9Rje4noXjZoZV09eiF2n6p6gId
EP6uBTJND8TTu4r0C6pnTR+JMSmDYhh9L/i6kY3DtZYkJRNP97qpa7vk682C58YM
vpJjJCUEdFkXEkXMd0x/9deAXZDWPebNvNzWrpNjmzo2tIlBZ16Scpim46Zsu2mS
1+qS9ntdH+dddHe5hJkN8fHQl1Z+9tJcbGBTYUDeyv4Eyh302/8ltMbH444MxPQz
cmyLbxTEOWhx4JMjBzq04mQnAiAILYPVzWfmPD1z8rMhOwFsRtpU3MqeMV2tR1V5
oSdKXFw1GGEeF6uwQIwB3z3E5EptAlSj7vYo877tujSgJQnfG8BveEs8wqUSQizK
/myNsVKsy2PdlXVf4nKrl2epE7URiQh13C+kkudnGEEZosKWVqSmY30yfSX0hOe/
RAHv16QmI1FsRnwUDcF6pEMZ9uSRas1Uv8w1pozGQuaYoYys6NctmGxXzmbt9eMy
fHXIHmxlZjdRoH8jfoexYnPARBluIjrKgFfjIx1cJWGJvf3y7Uavq3C9F92MynCU
qArfss6FEiXTDDv2Ee0FefSqsjT0aQh0gMIR9bx5wB43mBp69DOkoxZ1c4w6nDqA
cMFv1b+Vfco7gS9baoDs
=u/nu
-----END PGP SIGNATURE-----
--- End Message ---
