## Summary ##
The Nova console WebSocket proxy mutates a shared, process-global
oslo.config allowed_origins list on every incoming request by
appending the client-controlled Host header value. Because oslo.config
returns a cached list object, these appends persist for the lifetime
of the proxy process. This permanently weakens the cross-origin
protection on the console proxy and causes unbounded memory growth.

## Affected Services / Software ##
* nova: >=12.0.0 <31.3.2, >=32.0.0 <32.2.2, >=33.0.0 <33.0.3

## Discussion ##
On each request, the proxy appends the Host header to
CONF.console.allowed_origins to allow the proxy's own hostname.
This mutates the shared oslo.config cached list rather than
operating on a copy, so any Host value ever seen is retained
permanently for the life of the process.

An unauthenticated attacker can inject arbitrary hostnames into
the allow-list by sending requests with crafted Host headers,
defeating the Origin check for all subsequent requests. The
unbounded list growth also enables a slow memory exhaustion DoS.

## Recommended Actions ##
Apply the provided Nova patches. The fix copies the config list
before appending, so mutations do not persist across requests.

## Patches ##
The following reviews contain the fix for this issue:

* 2026.2/hibiscus (development): https://review.opendev.org/c/openstack/nova/+/995870
* 2026.1/gazpacho: https://review.opendev.org/c/openstack/nova/+/995956
* 2025.2/flamingo: https://review.opendev.org/c/openstack/nova/+/995957
* 2025.1/epoxy: https://review.opendev.org/c/openstack/nova/+/995958

## Credits ##
Sergey r0binak Kanibor, Luntry

## References ##
Author: Goutham Pacha Ravi, Red Hat
This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0101
Original Launchpad bug: https://bugs.launchpad.net/nova/+bug/2158919
Mailing List: [security-sig] tag on [email protected]
OpenStack Security: https://security.openstack.org/
CVE: none

Attachment: OpenPGP_0x0638DAD3B82C3988.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
OpenStack-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to