[Yahoo-eng-team] [Bug 1927677] Re: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654)
** Changed in: nova/victoria Status: Fix Committed => Fix Released ** Changed in: nova/ussuri Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1927677 Title: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) stein series: Confirmed Status in OpenStack Compute (nova) train series: In Progress Status in OpenStack Compute (nova) ussuri series: Fix Released Status in OpenStack Compute (nova) victoria series: Fix Released Status in OpenStack Compute (nova) wallaby series: Fix Released Status in OpenStack Security Advisory: Fix Released Bug description: This bug report is related to Security. Currently novnc is allowing open direction, which could potentially be used for phishing attempts To test. https:example.com/%2F.. include .. at the end For example: http://vncproxy.my.domain.com//example.com/%2F.. It will redirect to example.com. You can replace example.com with some legitimate domain or spoofed domain. The description of the risk is By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1927677] Re: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654)
** Changed in: nova/wallaby Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1927677 Title: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) stein series: Confirmed Status in OpenStack Compute (nova) train series: In Progress Status in OpenStack Compute (nova) ussuri series: Fix Committed Status in OpenStack Compute (nova) victoria series: Fix Committed Status in OpenStack Compute (nova) wallaby series: Fix Released Status in OpenStack Security Advisory: Fix Released Bug description: This bug report is related to Security. Currently novnc is allowing open direction, which could potentially be used for phishing attempts To test. https:example.com/%2F.. include .. at the end For example: http://vncproxy.my.domain.com//example.com/%2F.. It will redirect to example.com. You can replace example.com with some legitimate domain or spoofed domain. The description of the risk is By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1927677] Re: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654)
Reviewed: https://review.opendev.org/c/openstack/ossa/+/811181 Committed: https://opendev.org/openstack/ossa/commit/51a1bf0699128c8ddcb7567347cee69492601091 Submitter: "Zuul (22348)" Branch:master commit 51a1bf0699128c8ddcb7567347cee69492601091 Author: Jeremy Stanley Date: Mon Sep 27 15:02:06 2021 + Errata 1 for OSSA-2021-002 Change-Id: Iaeb40574176ae62542a0c17e94917e654d38317d Closes-Bug: #1927677 ** Changed in: ossa Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1927677 Title: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) stein series: Confirmed Status in OpenStack Compute (nova) train series: In Progress Status in OpenStack Compute (nova) ussuri series: Fix Committed Status in OpenStack Compute (nova) victoria series: Fix Committed Status in OpenStack Compute (nova) wallaby series: Fix Committed Status in OpenStack Security Advisory: Fix Released Bug description: This bug report is related to Security. Currently novnc is allowing open direction, which could potentially be used for phishing attempts To test. https:example.com/%2F.. include .. at the end For example: http://vncproxy.my.domain.com//example.com/%2F.. It will redirect to example.com. You can replace example.com with some legitimate domain or spoofed domain. The description of the risk is By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1927677] Re: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654)
I've switched the security advisory task back to incomplete for now, while the vulnerability managers debate whether this requires errata publication or a completely new advisory. ** Changed in: ossa Status: Fix Released => Incomplete ** Changed in: ossa Importance: Medium => Undecided ** Changed in: ossa Assignee: Jeremy Stanley (fungi) => (unassigned) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1927677 Title: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) stein series: Confirmed Status in OpenStack Compute (nova) train series: Confirmed Status in OpenStack Compute (nova) ussuri series: Confirmed Status in OpenStack Compute (nova) victoria series: Confirmed Status in OpenStack Compute (nova) wallaby series: Confirmed Status in OpenStack Security Advisory: Incomplete Bug description: This bug report is related to Security. Currently novnc is allowing open direction, which could potentially be used for phishing attempts To test. https:example.com/%2F.. include .. at the end For example: http://vncproxy.my.domain.com//example.com/%2F.. It will redirect to example.com. You can replace example.com with some legitimate domain or spoofed domain. The description of the risk is By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1927677] Re: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654)
Reviewed: https://review.opendev.org/c/openstack/nova/+/805654 Committed: https://opendev.org/openstack/nova/commit/6fbd0b758dcac71323f3be179b1a9d1c17a4acc5 Submitter: "Zuul (22348)" Branch:master commit 6fbd0b758dcac71323f3be179b1a9d1c17a4acc5 Author: Sean Mooney Date: Mon Aug 23 15:37:48 2021 +0100 address open redirect with 3 forward slashes Ie36401c782f023d1d5f2623732619105dc2cfa24 was intended to address OSSA-2021-002 (CVE-2021-3654) however after its release it was discovered that the fix only worked for urls with 2 leading slashes or more then 4. This change adresses the missing edgecase for 3 leading slashes and also maintian support for rejecting 2+. Change-Id: I95f68be76330ff09e5eabb5ef8dd9a18f5547866 co-authored-by: Matteo Pozza Closes-Bug: #1927677 ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1927677 Title: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) stein series: Confirmed Status in OpenStack Compute (nova) train series: Confirmed Status in OpenStack Compute (nova) ussuri series: Confirmed Status in OpenStack Compute (nova) victoria series: Confirmed Status in OpenStack Compute (nova) wallaby series: Confirmed Status in OpenStack Security Advisory: Fix Released Bug description: This bug report is related to Security. Currently novnc is allowing open direction, which could potentially be used for phishing attempts To test. https:example.com/%2F.. include .. at the end For example: http://vncproxy.my.domain.com//example.com/%2F.. It will redirect to example.com. You can replace example.com with some legitimate domain or spoofed domain. The description of the risk is By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1927677] Re: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654)
It is confirmed that the original fix was incomplete. A new fix is being merged to master https://review.opendev.org/c/openstack/nova/+/805654 (and then backported) ** Changed in: nova Status: Fix Released => In Progress ** Changed in: nova/wallaby Status: Fix Released => Confirmed ** Changed in: nova/ussuri Status: Fix Committed => Confirmed ** Changed in: nova/train Status: In Progress => Confirmed ** Changed in: nova/stein Status: In Progress => Confirmed ** Changed in: nova/victoria Status: Fix Committed => Confirmed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1927677 Title: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654) Status in OpenStack Compute (nova): In Progress Status in OpenStack Compute (nova) stein series: Confirmed Status in OpenStack Compute (nova) train series: Confirmed Status in OpenStack Compute (nova) ussuri series: Confirmed Status in OpenStack Compute (nova) victoria series: Confirmed Status in OpenStack Compute (nova) wallaby series: Confirmed Status in OpenStack Security Advisory: Fix Released Bug description: This bug report is related to Security. Currently novnc is allowing open direction, which could potentially be used for phishing attempts To test. https:example.com/%2F.. include .. at the end For example: http://vncproxy.my.domain.com//example.com/%2F.. It will redirect to example.com. You can replace example.com with some legitimate domain or spoofed domain. The description of the risk is By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1927677] Re: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654)
** Also affects: nova/stein Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1927677 Title: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) stein series: New Status in OpenStack Compute (nova) train series: In Progress Status in OpenStack Compute (nova) ussuri series: Fix Committed Status in OpenStack Compute (nova) victoria series: Fix Committed Status in OpenStack Compute (nova) wallaby series: Fix Released Status in OpenStack Security Advisory: Fix Released Bug description: This bug report is related to Security. Currently novnc is allowing open direction, which could potentially be used for phishing attempts To test. https:example.com/%2F.. include .. at the end For example: http://vncproxy.my.domain.com//example.com/%2F.. It will redirect to example.com. You can replace example.com with some legitimate domain or spoofed domain. The description of the risk is By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1927677/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp