Your message dated Fri, 13 Mar 2015 13:19:31 +0000
with message-id <e1ywpux-0004mj...@franck.debian.org>
and subject line Bug#780250: fixed in nova 2014.2.2-3
has caused the Debian Bug report #780250,
regarding CVE-2015-0259: Websocket Hijacking Vulnerability in Nova VNC Server
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
780250: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780250
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nova
Version: 2014.1.3-10
Severity: grave
Tags: security patch
Maintainer's message: below is the disclosed vulnerability for the Nova
VNC session highjack. I'm preparing an update right now.
Brian Manifold (bmani...@cisco.com) from Cisco has discovered a
vulnerability in the Nova VNC server implementation. We have a patch for
this vulnerability and consider this a very high risk.
Issue Details:
Horizon uses a VNC client which uses websockets to pass information. The
Nova VNC server does not validate the origin of the websocket request,
which allows an attacker to make a websocket request from another domain.
If the victim opens both an attacker's site and the VNC console
simultaneously, or if the victim has recently been using the VNC console
and then visits the attacker's site, the attacker can make a websocket
request to the Horizon domain and proxy the connection to another
destination.
This gives the attacker full read-write access to the VNC console of any
instance recently accessed by the victim.
Recommendation:
Verify the origin field in request header on all websocket requests.
Threat:
CWE-345
* Insufficient Verification of Data Authenticity -- The software does not
sufficiently verify the origin or authenticity of data, in a way that
causes it to accept invalid data.
CWE-346
* Origin Validation Error -- The software does not properly verify that
the source of data or communication is valid.
CWE-441
* Unintended Proxy or Intermediary ('Confused Deputy') -- The software
receives a request, message, or directive from an upstream component, but
the software does not sufficiently preserve the original source of the
request before forwarding the request to an external actor that is outside
of the software's control sphere. This causes the software to appear to be
the source of the request, leading it to act as a proxy or other
intermediary between the upstream component and the external actor.
Steps to reproduce:
1. Login to horizon
2. Pick an instance, go to console/vnc tab, wait for console to be loaded
3. In another browser tab or window, load a VNC console script from local
disk or remote site
4. Point the newly loaded VNC console to the VNC server and a connection
is made
Result:
The original connection has been been hijacked by the second connection
Root cause:
Cross-Site WebSocket Hijacking is concept that has been written about in
various security blogs.
One of the recommended countermeasures is to check the Origin header of
the WebSocket handshake request.
Fix proposed to branch: master
Review: https://review.openstack.org/163033
Fix proposed to branch: stable/juno
Review: https://review.openstack.org/163034
Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/163035
--- End Message ---
--- Begin Message ---
Source: nova
Source-Version: 2014.2.2-3
We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated nova package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 11 Mar 2015 09:43:56 +0100
Source: nova
Binary: python-nova nova-common nova-compute nova-compute-lxc nova-compute-uml
nova-compute-qemu nova-compute-kvm nova-conductor nova-cert nova-scheduler
nova-volume nova-api nova-network nova-console nova-consoleauth nova-doc
nova-cells nova-baremetal nova-consoleproxy
Architecture: source all
Version: 2014.2.2-3
Distribution: experimental
Urgency: medium
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
nova-api - OpenStack Compute - compute API frontend
nova-baremetal - Openstack Compute - baremetal virt
nova-cells - Openstack Compute - cells
nova-cert - OpenStack Compute - certificate manager
nova-common - OpenStack Compute - common files
nova-compute - OpenStack Compute - compute node
nova-compute-kvm - OpenStack Compute - compute node (KVM)
nova-compute-lxc - OpenStack Compute - compute node (LXC)
nova-compute-qemu - OpenStack Compute - compute node (QEmu)
nova-compute-uml - OpenStack Compute - compute node (UserModeLinux)
nova-conductor - OpenStack Compute - conductor service
nova-console - OpenStack Compute - console
nova-consoleauth - OpenStack Compute - Console Authenticator
nova-consoleproxy - OpenStack Compute - NoVNC proxy
nova-doc - OpenStack Compute - documentation
nova-network - OpenStack Compute - network manager
nova-scheduler - OpenStack Compute - virtual machine scheduler
nova-volume - OpenStack Compute - storage metapackage
python-nova - OpenStack Compute - libraries
Closes: 780250
Changes:
nova (2014.2.2-3) experimental; urgency=medium
.
* CVE-2015-0259: Websocket Hijacking Vulnerability in Nova VNC Server.
Applied upstream patch (Closes: #780250):
Websocket_Proxy_should_verify_Origin_header_juno.patch
Checksums-Sha1:
560235f1aa14d651afb9e28feec3a34df670d55a 4850 nova_2014.2.2-3.dsc
e4ec6f46a9bb2077263b36429bcbb77b816d090b 90804 nova_2014.2.2-3.debian.tar.xz
10b677c6dd26e5ec9f7e7fb41bc2327c466c315a 1808644 python-nova_2014.2.2-3_all.deb
1a9f7ab18adb9eac1ec076414f41099a6525c3c3 78278 nova-common_2014.2.2-3_all.deb
c66de75be23f515f848b3f6b49cee30e77345038 22274 nova-compute_2014.2.2-3_all.deb
85c43f38f2f98ced0267be30bc655060ed2beec7 16664
nova-compute-lxc_2014.2.2-3_all.deb
a6705abeadd27957505dc227f6a1b88c31bbf0cc 16484
nova-compute-uml_2014.2.2-3_all.deb
b5b756dba1f059f8dc22c94c36218786a1231f26 16472
nova-compute-qemu_2014.2.2-3_all.deb
2b3b3c0846d81b2857b0512e9fd20f8d9abda44b 16582
nova-compute-kvm_2014.2.2-3_all.deb
3095920f1a582966e70e8fb804e7662b15dca25f 19900
nova-conductor_2014.2.2-3_all.deb
ca81153832b95131dd775df6cf6888956a8894a1 19990 nova-cert_2014.2.2-3_all.deb
2b1a19bb4b85bdc479d17191dbbf9c52c74428a0 19902
nova-scheduler_2014.2.2-3_all.deb
fbac545705d715b76181e7e2e07e1a6b8df14f49 16114 nova-volume_2014.2.2-3_all.deb
296451f5f8c36d12a9f60496f331a2e8cbeea33b 37706 nova-api_2014.2.2-3_all.deb
beffc321e65ba2d88c84330b24e335c48fcfdb42 21980 nova-network_2014.2.2-3_all.deb
390af7458e446a37e15255feb9e8af4eeac92363 19994 nova-console_2014.2.2-3_all.deb
76ad6e8bb771dacd5180adb50ed96d3b25a96130 19978
nova-consoleauth_2014.2.2-3_all.deb
123fea952aff73437a8e60c2cea35e46cea4087f 987558 nova-doc_2014.2.2-3_all.deb
ca491fe3950572d33d76920338dad74beebc7f69 19030 nova-cells_2014.2.2-3_all.deb
590c454ab55dbfc0eff89307c6d997fa4d936d9c 19364
nova-baremetal_2014.2.2-3_all.deb
85218b5f5c42fef5ee7b28f731479dee04764dde 24740
nova-consoleproxy_2014.2.2-3_all.deb
Checksums-Sha256:
cbb21ef5aa92920c537e1e5699108935252b2da214557c55cb712f88b13e9179 4850
nova_2014.2.2-3.dsc
cd97bfa1c2b71a49473624c4acf28ccec4e155b0d4d04743a999fb51fc0f561e 90804
nova_2014.2.2-3.debian.tar.xz
179fa41c95642a69f354b4ef17b858f70c422e8d58d12e09e4359079fc3c3ab3 1808644
python-nova_2014.2.2-3_all.deb
250644ff25972631afc3926134269bdb1e3326b3db873055fe02b857d90aedda 78278
nova-common_2014.2.2-3_all.deb
e9347f91f08a3a4064ff53f34bf0d34688dfb9f2bf1af7d37f3df387c5790fb1 22274
nova-compute_2014.2.2-3_all.deb
25368fd1f7ea914902c0d8f43013a4ea9da2ba315e0abfbd70e2034e77bec866 16664
nova-compute-lxc_2014.2.2-3_all.deb
980efe0f3eda253492b67895fcd6b89da7e07ac8e2fcdbb4550617edf9705856 16484
nova-compute-uml_2014.2.2-3_all.deb
a7757f3070939873c48f9a4d3e3677723b71487af66b7fabb31f46a3497cd092 16472
nova-compute-qemu_2014.2.2-3_all.deb
144e3c9eb1d784868a0e16539d269968a28ad3a041af5608f2f3640e9e49d244 16582
nova-compute-kvm_2014.2.2-3_all.deb
42a9ac26cbbb3a6f494fac9098d8a19f7e72837846abd3b976ba6cdd208ffd2f 19900
nova-conductor_2014.2.2-3_all.deb
b76eb72959bfa95ea233a2fb638639a926c454c28e79407addc3624ce59f1d63 19990
nova-cert_2014.2.2-3_all.deb
042de0e70c31110209dd9e4661cb1af4a0fcb6129865ab0b384f77a233970949 19902
nova-scheduler_2014.2.2-3_all.deb
0d549a0b209995647c35c99d451db11ae1d2fb07ba5eef066b1ded24cfc63704 16114
nova-volume_2014.2.2-3_all.deb
73b2f15f45dc0bc191f1707ebeb43f5cc511a7979704c0b1c51cae011452eb84 37706
nova-api_2014.2.2-3_all.deb
12a636f72b6741c95e56999cf7c7bcf48b68785510789a0537de193606eef3fc 21980
nova-network_2014.2.2-3_all.deb
c19ea14669e8033b2cb093d4da9373a0ed252c33e194478f13f25e7103472567 19994
nova-console_2014.2.2-3_all.deb
aa12eca410c24efa2f5705201a9704ed3d51c5829f08723d6233c2bbc729e150 19978
nova-consoleauth_2014.2.2-3_all.deb
979cb8d515d4a744b9ce9adad7d29769b1d8e3795cdd63820feaff98b1fc540b 987558
nova-doc_2014.2.2-3_all.deb
57770e448453b2a0c5f2bc07e21f05c830e60bde5ae4e351b2a794b840a3b3ff 19030
nova-cells_2014.2.2-3_all.deb
977594a7f745b0039416e7d6f39d5ea272394e5251db398ef9e84abf1a519bea 19364
nova-baremetal_2014.2.2-3_all.deb
29b2d1bfe5f37ef761e741c809ffdc85fee2daa676be89ae17ee5a79ddf02e25 24740
nova-consoleproxy_2014.2.2-3_all.deb
Files:
b0a196a3d4424ab38420affc8a9fee12 4850 net extra nova_2014.2.2-3.dsc
3c4b96597690057e3e3afbbc176c3596 90804 net extra nova_2014.2.2-3.debian.tar.xz
2d73ef3581745eec404c1265cd046181 1808644 python extra
python-nova_2014.2.2-3_all.deb
99d751a3e576802ffb69e749c69ea856 78278 net extra nova-common_2014.2.2-3_all.deb
188d558946127d5f700a31ae9f7df8a4 22274 net extra
nova-compute_2014.2.2-3_all.deb
97b41efb8f240b2f9ea44e7a7fd9443f 16664 net extra
nova-compute-lxc_2014.2.2-3_all.deb
2fba9067258aa1b11ab4cd5c69137f27 16484 net extra
nova-compute-uml_2014.2.2-3_all.deb
ffaefa61344e2e5445c321c9249b43ee 16472 net extra
nova-compute-qemu_2014.2.2-3_all.deb
afb31628f4e49b28e82c08a16cd7c19f 16582 net extra
nova-compute-kvm_2014.2.2-3_all.deb
05c53a0e17db96ef80e002f5b884765d 19900 net extra
nova-conductor_2014.2.2-3_all.deb
921f8856e5cab4e305cfdbd9bce91e45 19990 net extra nova-cert_2014.2.2-3_all.deb
67f9f9461f3e8860502d6200d2cd48e0 19902 net extra
nova-scheduler_2014.2.2-3_all.deb
30c6c5a3d21bdf3301ef928ad00f48ad 16114 oldlibs extra
nova-volume_2014.2.2-3_all.deb
d33d2fcc0d65698f58f90e4247ccabef 37706 net extra nova-api_2014.2.2-3_all.deb
37b5c2535eda2c8be50cea561a4b8707 21980 net extra
nova-network_2014.2.2-3_all.deb
ae869dfa2543acb60d67ce51b9934b82 19994 net extra
nova-console_2014.2.2-3_all.deb
3000eeb8c68058be00149dfad66bcc38 19978 net extra
nova-consoleauth_2014.2.2-3_all.deb
3c0d39df46e200d63b26b3c94cec7c37 987558 doc extra nova-doc_2014.2.2-3_all.deb
3e108aec363b70f907d8615605d23fba 19030 net extra nova-cells_2014.2.2-3_all.deb
2da517fee900965f48c8b0011d7cd962 19364 net extra
nova-baremetal_2014.2.2-3_all.deb
d10456adb041aecb0b84035822437e0c 24740 net extra
nova-consoleproxy_2014.2.2-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVAt8gAAoJENQWrRWsa0P+adQQAJDSo0DPABclsYCyFWjoNmHG
7IzS5l8iyBDVAqkPnaWAk8+uoj4DU1f//Wox8yAFh05ehqw+hrpwGAWTWDOecwHd
yyusP72QqxdLCQWblPfwXKONbDeNrY6dMND+EfYNFLh+bW21Sp7Hq9UwGZ3UZoMc
zDB08qyaO51nmyVtBWocQ6DZxZm3IlKS7W9Wc7woq2XOOd4A0jIa+0jmbkHxtrog
PkIHWsMnNA1tECqiHlZM714ISDlNruftqEJlWOq5az5/sou3lItHgdxRI6a38ehy
uCIeWdTGeGBrGS3Tsft2UW4YBIt60AoN4cX1CVbm5nkyQQ5jiH7v5HBAIHQZIOLS
y8MVuh4XdTPmG30QWgwO2BTCwWNNPNw5DqNvG2M16IIRg/WQMhRJwnvubvLRCX9/
v/ODa+PiuSJjH7x7A3g//ccU3Gl0UGvtZFobrQXkUx7lqRPYYqVbUPMCP677OVwL
ZUuVuT69z2cA101jaaumGCAilydTwa7/BNbf9qyvE69prdlHxrsuV12qW8Q9szRf
vaI9Mtn78ahTTkJvOsU/s9gzg7SiOq91xemquDWVpRXwUbCvBncXvyK4SzSj6tw7
lCLTL65SZT2/GrSq9KtVaA1RQXnmOuYCMg5SvKFdW6UDqzDWAcx3QqlAu/s1/KcE
k4qQOWbBAVeJ0nMzH2fG
=86ti
-----END PGP SIGNATURE-----
--- End Message ---
