[openstack-dev] [OSSN 0022] Nova Networking does not enforce security group rules following a soft reboot of an instance

2014-08-11 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nova Networking does not enforce security group rules following a soft reboot of an instance - --- ### Summary ### In deployments using Nova Networking, security group rules associated with an instance may not be enforced after a soft reboot. Nova is

Re: [openstack-dev] stable/havana jobs failing due to keystone bug 1357652

2014-08-17 Thread Nathan Kinder
On 08/17/2014 09:08 AM, Matt Riedemann wrote: I'm seeing some nova stable/havana patches failing consistently on keystone bug 1357652 [1], keystone won't start due to an import error. I'm not seeing any recent changes for keystone in stable/havana so not sure if this is an infra issue or

Re: [openstack-dev] stable/havana jobs failing due to keystone bug 1357652

2014-08-17 Thread Nathan Kinder
On 08/17/2014 09:18 AM, Nathan Kinder wrote: On 08/17/2014 09:08 AM, Matt Riedemann wrote: I'm seeing some nova stable/havana patches failing consistently on keystone bug 1357652 [1], keystone won't start due to an import error. I'm not seeing any recent changes for keystone in stable

Re: [openstack-dev] [Openstack-stable-maint] stable/havana jobs failing due to keystone bug 1357652

2014-08-17 Thread Nathan Kinder
On 08/17/2014 01:58 PM, Matt Riedemann wrote: On 8/17/2014 3:36 PM, Alan Pevec wrote: 2014-08-17 22:25 GMT+02:00 Matt Riedemann mrie...@linux.vnet.ibm.com: The other thing I thought was we could cap the version of python-keystoneclient in stable/havana, would that be bad? stable/havana

Re: [openstack-dev] [Openstack-stable-maint] stable/havana jobs failing due to keystone bug 1357652

2014-08-17 Thread Nathan Kinder
On 08/17/2014 05:40 PM, Nathan Kinder wrote: On 08/17/2014 01:58 PM, Matt Riedemann wrote: On 8/17/2014 3:36 PM, Alan Pevec wrote: 2014-08-17 22:25 GMT+02:00 Matt Riedemann mrie...@linux.vnet.ibm.com: The other thing I thought was we could cap the version of python-keystoneclient

[openstack-dev] [OSSN 0023] Keystone logs auth tokens in URLs at the INFO log level

2014-09-04 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Keystone logs auth tokens in URLs at the INFO log level - --- ### Summary ### When a client accesses Keystone using the Identity API version 2, the tokens will be logged as part of some request URLs. Specifically all requests to the tokens resource

[openstack-dev] [OSSN 0026] Unrestricted write permission to config files can allow code execution

2014-09-05 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Unrestricted write permission to config files can allow code execution - --- ### Summary ### In numerous places throughout OpenStack projects, variables are read directly from configuration files and used to construct statements which are executed

[openstack-dev] [OSSN 0020] Disassociating floating IPs does not terminate NAT connections with Neutron L3 agent

2014-09-15 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Disassociating floating IPs does not terminate NAT connections with Neutron L3 agent - --- ### Summary ### Every virtual instance is automatically assigned a private IP address. You may optionally assign public IP addresses to instances. OpenStack

Re: [openstack-dev] [all] [clients] [keystone] lack of retrying tokens leads to overall OpenStack fragility

2014-09-15 Thread Nathan Kinder
On 09/12/2014 12:46 AM, Angus Lees wrote: On Thu, 11 Sep 2014 03:21:52 PM Steven Hardy wrote: On Wed, Sep 10, 2014 at 08:46:45PM -0400, Jamie Lennox wrote: For service to service communication there are two types. 1) using the user's token like nova-cinder. If this token expires there is

[openstack-dev] [OSSN 0027] Neutron ARP cache poisoning vulnerability

2014-09-16 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Neutron ARP cache poisoning vulnerability - --- ### Summary ### The Neutron firewall driver 'iptables_firewall' does not prevent ARP cache poisoning, as this driver is currently only capable of MAC address and IP address based anti-spoofing rules.

[openstack-dev] [OSSN 0029] Neutron FWaaS rules lack port restrictions when using protocol 'any'

2014-09-24 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Neutron FWaaS rules lack port restrictions when using protocol 'any' - --- ### Summary ### A bug in the Neutron FWaaS (Firewall as a Service) code results in iptables rules being generated that do not reflect desired port restrictions. This behaviour

[openstack-dev] [OSSG][OSSN] Glance allows sharing of images between projects without consumer project approval

2013-12-11 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glance allows sharing of images between projects without consumer project approval - --- ### Summary ### Glance allows images to be shared between projects. In certain API versions, images can be shared without the consumer project's approval. This

Re: [openstack-dev] [Horizon] Nominations to Horizon Core

2013-12-11 Thread Nathan Kinder
On 12/11/2013 08:08 PM, Bryan D. Payne wrote: We can involve people in security reviews without having them on the core review team. They are separate concerns. Yes, but those people can't ultimately approve the patch. So you'd need to have a security reviewer do their review,

[openstack-dev] [OSSG][OSSN] Keystone can allow user impersonation when using REMOTE_USER for external authentication

2014-01-17 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Keystone can allow user impersonation when using REMOTE_USER for external authentication - --- ### Summary ### When external authentication is used with Keystone using the ExternalDefault plug-in, external usernames containing @ characters are

[openstack-dev] [OSSN] Live migration instructions recommend unsecured libvirt remote access

2014-03-06 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Live migration instructions recommend unsecured libvirt remote access - --- ### Summary ### When using the KVM hypervisor with libvirt on OpenStack Compute nodes, live migration of instances from one Compute server to another requires that the

Re: [openstack-dev] 答复: [OSSN] Live migration instructions recommend unsecured libvirt remote access

2014-03-07 Thread Nathan Kinder
capabilities: http://libvirt.org/migration.html Thanks, - -NGK -Hao -邮件原件- 发件人: Nathan Kinder [mailto:nkin...@redhat.com] 发送时间: 2014年3月7日 3:36 收件人: OpenStack Development Mailing List (not for usage questions) 主题: [openstack-dev] [OSSN] Live migration instructions recommend

[openstack-dev] [OSSG][OSSN] DoS style attack on noVNC server can lead to service interruption or disruption

2014-03-09 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 DoS style attack on noVNC server can lead to service interruption or disruption - --- ### Summary ### There is currently no limit to the number of noVNC or SPICE console sessions that can be established by a single user. The console host has limited

Re: [openstack-dev] [keystone] All LDAP users returned using keystone v3/users API

2014-03-13 Thread Nathan Kinder
(for example, it is not possible to set user_filter to members of certain known groups for OpenLDAP without creating a memberOf overlay on the LDAP server). [Nathan Kinder] What attributes would you filter on? It seems to me that LDAP would need to have knowledge of the roles to be able to filter

Re: [openstack-dev] [TripleO] proxying SSL traffic for API requests

2014-03-27 Thread Nathan Kinder
On 03/26/2014 09:51 AM, Clint Byrum wrote: Excerpts from Chris Jones's message of 2014-03-26 06:58:59 -0700: Hi We don't have a strong attachment to stunnel though, I quickly dropped it in front of our CI/CD undercloud and Rob wrote the element so we could repeat the deployment. In the

[openstack-dev] [OSSG][OSSN] Potential token revocation abuse via group membership

2014-04-02 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Potential token revocation abuse via group membership - --- ### Summary ### Deletion of groups in Keystone causes token revocation for group members. If group capabilities are delegated to users, they can abuse those capabilities to maliciously

[openstack-dev] Security audit of OpenStack projects

2014-04-07 Thread Nathan Kinder
Hi, We don't currently collect high-level security related information about the projects for OpenStack releases. Things like the crypto algorithms that are used or how we handle sensitive data aren't documented anywhere that I could see. I did some thinking on how we can improve this. I wrote

[openstack-dev] [OSSG][OSSN] Authenticated users are able to update passwords without providing their current password

2013-11-22 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Authenticated users are able to update passwords without providing their current password - --- ### Summary ### An authenticated user is able to change their password without providing their current password. This allows compromised authentication

Re: [openstack-dev] tenant or project

2013-11-23 Thread Nathan Kinder
On 11/23/2013 08:28 AM, Tim Bell wrote: Horizon uses Project in the user interface, yet the openstack.rc file contains tenant_id and tenant_name. It makes it very difficult to write user guides given that such a fundamental concept has two names. +1. I struggled with this

Re: [openstack-dev] [Solum] [Security]

2013-11-27 Thread Nathan Kinder
On 11/27/2013 08:58 AM, Paul Montgomery wrote: I created some relatively high level security best practices that I thought would apply to Solum. I don't think it is ever too early to get mindshare around security so that developers keep that in mind throughout the project. When a design

Re: [openstack-dev] Message level security plans.

2014-06-12 Thread Nathan Kinder
Hi Tim, Jamie Lennox (cc'd) has been the main developer working on Kite. I'm sure he would appreciate you getting involved in reviews [1] and any other development help you're willing to contribute. Patches have slowly been landing in the kite repo. [2] For others not familiar with Kite, there

[openstack-dev] [OSSG][OSSN] Session-fixation vulnerability in Horizon when using the default signed cookie sessions

2014-06-20 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Session-fixation vulnerability in Horizon when using the default signed cookie sessions - --- ### Summary ### The default setting in Horizon is to use signed cookies to store session state on the client side. This creates the possibility that if an

[openstack-dev] [OSSG][OSSN] Nova Network configuration allows guest VMs to connect to host services

2014-06-25 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nova Network configuration allows guest VMs to connect to host services - --- ### Summary ### When using Nova Network to manage networking for compute instances, instances are able to reach network services running on the host system. This may be a

Re: [openstack-dev] [Barbican] Barebones CA

2014-06-25 Thread Nathan Kinder
On 06/25/2014 02:42 PM, Clark, Robert Graham wrote: Ok, I’ll hack together a dev plugin over the next week or so, other work notwithstanding. Where possible I’ll probably borrow from the dog tag plugin as I’ve not looked closely at the plugin infrastructure in Barbican recently. My

[openstack-dev] [OSSG][OSSN] Cinder SSH Pool will auto-accept SSH host signatures by default

2014-06-30 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cinder SSH Pool will auto-accept SSH host signatures by default - --- ### Summary### In OpenStack releases prior to Juno, the SSH connection pool used by Cinder drivers to control SAN hosts will silently auto-accept SSH host fingerprints. This

Re: [openstack-dev] [Keystone] HTTP Get and HEAD requests mismatch on resulting HTTP status (proposed REST API Response Status Changes)

2014-07-01 Thread Nathan Kinder
On 07/01/2014 07:48 PM, Robert Collins wrote: Wearing my HTTP fanatic hat - I think this is actually an important change to do. Skew like this can cause all sorts of odd behaviours in client libraries. +1. The current behavior of inconsistent response codes between the two recommended

Re: [openstack-dev] [Keystone] [Swift] Question re. keystone domains

2014-07-02 Thread Nathan Kinder
On 07/01/2014 12:15 PM, Dolph Mathews wrote: On Tue, Jul 1, 2014 at 11:20 AM, Coles, Alistair alistair.co...@hp.com mailto:alistair.co...@hp.com wrote: We have a change [1] under review in Swift to make access control lists compatible with migration to keystone v3 domains. The

Re: [openstack-dev] [Keystone][devstack] Keystone is now gating (Juno and beyond) on Apache + mod_wsgi deployed Keystone

2014-07-14 Thread Nathan Kinder
On 07/11/2014 08:43 AM, Morgan Fainberg wrote: The Keystone team is happy to announce that as of yesterday (July 10th 2014), with the merge of https://review.openstack.org/#/c/100747/ Keystone is now gating on Apache + mod_wsgi based deployment. This also has moved the default for

[openstack-dev] [Keystone] Feasibility of adding global restrictions at trust creation time

2014-07-22 Thread Nathan Kinder
Hi, I've had a few discussions recently related to Keystone trusts with regards to imposing restrictions on trusts at a deployment level. Currently, the creator of a trust is able to specify the following restrictions on the trust at creation time: - an expiration time for the trust - the

Re: [openstack-dev] [Keystone] Feasibility of adding global restrictions at trust creation time

2014-07-22 Thread Nathan Kinder
On 07/22/2014 06:55 PM, Steven Hardy wrote: On Tue, Jul 22, 2014 at 05:20:44PM -0700, Nathan Kinder wrote: Hi, I've had a few discussions recently related to Keystone trusts with regards to imposing restrictions on trusts at a deployment level. Currently, the creator of a trust is able

[openstack-dev] [OSSN 0021] Owners of compromised accounts should verify Keystone trusts

2014-07-25 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Owners of compromised accounts should verify Keystone trusts - --- ### Summary ### The Keystone 'trusts' API allows for delegation of privileges to one user on behalf of another. This API can allow for an attacker of a compromised account to set up

[openstack-dev] [OSSG][OSSN] OpenSSL Heartbleed vulnerability can lead to OpenStack compromise

2014-04-10 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Heartbleed vulnerability can lead to OpenStack compromise - --- ### Summary ### A vulnerability in OpenSSL can lead to leaking of confidential data protected by SSL/TLS in an OpenStack deployment. ### Affected Services / Software ###

Re: [openstack-dev] Security audit of OpenStack projects

2014-04-10 Thread Nathan Kinder
On 04/10/2014 09:48 AM, Russell Bryant wrote: On 04/10/2014 11:39 AM, Steven Hardy wrote: On Mon, Apr 07, 2014 at 09:06:23AM -0700, Nathan Kinder wrote: Hi, We don't currently collect high-level security related information about the projects for OpenStack releases. Things like the crypto

[openstack-dev] [OSSG][OSSN] Sample Keystone v3 policy exposes privilege escalation vulnerability

2014-04-17 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sample Keystone v3 policy exposes privilege escalation vulnerability - --- ### Summary ### The policy.v3cloudsample.json sample Keystone policy file combined with the underlying mutability of the domain ID for user, group, and project entities

Re: [openstack-dev] [barbican] Cryptography audit by OSSG

2014-04-24 Thread Nathan Kinder
your involvement in OSSG. In fact, there has been much interest in OSSG about the Barbican project. And I believe that many people from the group are contributing to Barbican. In the below thread on the security list, Nathan Kinder is conducting a security audit

Re: [openstack-dev] [Neutron][LBaaS] Use Case Question

2014-04-25 Thread Nathan Kinder
On 04/25/2014 12:50 AM, Carlos Garza wrote: Trevor is referring to our plans on using the SSL session ID of the ClientHello to provide session persistence. See RFC 5264 section 7.4.1.2 which sends an SSL session ID in the clear (Unencrypted) so that a load balancer with out the

Re: [openstack-dev] [barbican] Cryptography audit by OSSG

2014-04-25 Thread Nathan Kinder
On 04/18/2014 06:55 AM, Lisa Clark wrote: Barbicaneers, Is anyone following the openstack-security list and/or part of the OpenStack Security Group (OSSG)? This sounds like another group and list we should keep our eyes on. In the below thread on the security list, Nathan Kinder

Re: [openstack-dev] [nova][olso] How is the trusted message going on?

2014-05-05 Thread Nathan Kinder
On 05/05/2014 03:29 PM, Jiang, Yunhong wrote: Hi, all The trusted messaging (https://blueprints.launchpad.net/oslo.messaging/+spec/trusted-messaging) has been removed from icehouse, does anyone know how is current status? I noticed a summit session may cover it (

[openstack-dev] [OSSG][OSSN] Some versions of Glance do not apply property protections as expected

2014-05-07 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Some versions of Glance do not apply property protections as expected - --- ### Summary ### Tom Leaman reported an issue to the OpenStack mailing list that affects Glance property protections. A permissive property setting in the Glance property

Re: [openstack-dev] [Neutron] [LBaaS][VPN][Barbican] SSL cert implementation for LBaaS and VPN

2014-05-08 Thread Nathan Kinder
On 05/08/2014 03:19 AM, Samuel Bercovici wrote: Hi, Please note as commented also by other XaaS services that managing SSL certificates is not a sole LBaaS challenge. This calls for either an OpenStack wide service or at least a Neutron wide service to implement such use cases.

Re: [openstack-dev] [Openstack-security] [Barbican][OSSG][Keystone] Mid-Cycle Meetup

2014-05-22 Thread Nathan Kinder
On 05/22/2014 07:48 AM, Jarret Raim wrote: All, There was some interest at the Summit in semi-combining the mid-cycle meet ups for Barbican, Keystone and the OSSG as there is some overlap in team members and interest areas. The current dates being considered are: Mon, July 7 - Barbican

[openstack-dev] [OSSG][OSSN] Multiple Cinder drivers set insecure file permissions

2014-05-31 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Multiple Cinder drivers set insecure file permissions - --- ### Summary ### Several Cinder volume drivers set insecure file permissions for various files and directories. These permissions render the files accessible for read and write to any user

[openstack-dev] [OSSG][OSSN] Glance allows non-admin users to create public images

2014-05-31 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glance allows non-admin users to create public images - --- ### Summary ### The default policy settings in Glance allow any user to upload an image that is publicly available to all users. This can allow a malicious user to upload a vulnerable image

[openstack-dev] [OSSG][OSSN] Cinder wipe fails in an insecure manner on Grizzly

2014-06-03 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cinder wipe fails in an insecure manner on Grizzly - --- ### Summary ### A configuration error can prevent the secure erase of volumes in Cinder on Grizzly, potentially allowing a user to recover another user’s data. ### Affected Services / Software

Re: [openstack-dev] [OSSG][OSSN] Some versions of Glance do not apply property protections as expected (***revision***)

2014-06-11 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, The previous revision of this OSSN specified an incorrect workaround. This new revision should supersede the old revision. Thanks, - -NGK - -- Some versions of Glance do not

[openstack-dev] [OSSN 0024] Sensitive data is exposed in log statements by python-keystoneclient

2014-09-25 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sensitive data is exposed in log statements by python-keystoneclient - --- ### Summary ### Python-keystoneclient is a client tool for the OpenStack Identity API, which is implemented by the Keystone project. Various OpenStack services including the

[openstack-dev] [OSSN 0030] Bash 'shellshock' bug can lead to code injection vulnerability

2014-09-26 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bash 'shellshock' bug can lead to code injection vulnerability - --- ### Summary ### A bug in the GNU Bash shell (4.3 and lower) exposes a code injection vulnerability via crafted environment variables (Shellshock, CVE-2014-6271, CVE-2014-7169).

Re: [openstack-dev] [OSSN 0029] Neutron FWaaS rules lack port restrictions when using protocol 'any'

2014-09-29 Thread Nathan Kinder
09:58 AM, Nathan Kinder wrote: Neutron FWaaS rules lack port restrictions when using protocol 'any' --- ### Summary ### A bug in the Neutron FWaaS (Firewall as a Service) code results in iptables rules being generated that do not reflect desired port restrictions. This behaviour is triggered

[openstack-dev] [OSSN 0028] Nova leaks compute host SMBIOS serial number to guests

2014-10-03 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nova leaks compute host SMBIOS serial number to guests - --- ### Summary ### When Nova is using the libvirt virtualization driver, the SMBIOS serial number supplied by libvirt is provided to the guest instances that are running on a compute node.

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

2014-10-13 Thread Nathan Kinder
On 10/13/2014 01:17 PM, Morgan Fainberg wrote: Description of the problem: Without attempting an action on an endpoint with a current scoped token, it is impossible to know what actions are available to a user. Horizon makes some attempts to solve this issue by sourcing all of the

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

2014-10-14 Thread Nathan Kinder
, but I have no way of knowing what roles are required to perform a particular action without consulting the policy. -NGK Tim On Oct 14, 2014, at 1:56 AM, David Chadwick d.w.chadw...@kent.ac.uk wrote: On 14/10/2014 01:25, Nathan Kinder wrote: On 10/13/2014 01:17 PM, Morgan

Re: [openstack-dev] [Keystone] external AuthN Identity Backend

2014-10-16 Thread Nathan Kinder
On 10/16/2014 12:30 PM, Dave Walker wrote: Hi, I think I considered the Federated plugin as a mismatch as it dealt with 'remote' auth rather than 'external' auth. I thought it was for purely handling SSO / SAML2, and not being subordinate to auth with the webserver. I'll dig into the

Re: [openstack-dev] [keystone] Support for external authentication (i.e. REMOTE_USER) in Havana

2014-10-18 Thread Nathan Kinder
On 10/18/2014 08:43 AM, lohit.valleru wrote: Hello, Thank you for posting this issue to openstack-dev. I had posted this on the openstack general user list and was waiting for response. May i know, if we have any progress regarding this issue. I am trying to use external HTTPD

[openstack-dev] [OSSN 0025] Possible Glance image exposure via Swift

2014-10-21 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Possible Glance image exposure via Swift - --- ### Summary ### Glance is able to use Swift as a back end for storing virtual machine images. When Glance is configured this way (in multi-tenant mode only), it is possible for unauthenticated users to

[openstack-dev] [OSSN 0039] Configuring OpenStack deployments to prevent POODLE attacks

2014-10-21 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Configuring OpenStack deployments to prevent POODLE attacks - --- ### Summary ### POODLE (CVE-2014-3566) is a new attack on SSLv3 that allows an active network-based attacker to recover the plaintext from a secure connection using a CBC-mode cipher.

Re: [openstack-dev] [Ironic] A mascot for Ironic

2014-11-18 Thread Nathan Kinder
On 11/16/2014 10:51 AM, David Shrewsbury wrote: On Nov 16, 2014, at 8:57 AM, Chris K nobody...@gmail.com mailto:nobody...@gmail.com wrote: How cute. maybe we could call him bear-thoven. Chris I like Blaze Bearly, lead singer for Ironic Maiden. :)

[openstack-dev] [OSSN 0042] Keystone token scoping provides no security benefit

2014-12-17 Thread Nathan Kinder
and deployers of OpenStack must not rely on the scope of tokens to limit what actions can be performed using them. Concerned users are encouraged to read (OSSG member) Nathan Kinder's blog post on this issue and some of the potential future solutions. ### Contacts / References ### Nathan Kinder on Token

[openstack-dev] [OSSN 0038] Suds client subject to cache poisoning by local attacker

2014-12-17 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Suds client subject to cache poisoning by local attacker - --- ### Summary ### Suds is a Python SOAP client for consuming Web Services. Its default cache implementation stores pickled objects to a predictable path in /tmp. This can be used by a local

[openstack-dev] [OSSN 0043] glibc 'GHOST' vulnerability can allow remote code execution

2015-02-05 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 glibc 'GHOST' vulnerability can allow remote code execution - --- ### Summary ### A serious vulnerability in the GNU C library (glibc) gethostbyname* functions can allow an attacker to perform remote code execution with the privileges of the

[openstack-dev] [OSSN 0045] Vulnerable clients allow a TLS protocol downgrade (FREAK)

2015-03-11 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vulnerable clients allow a TLS protocol downgrade (FREAK) - --- ### Summary ### Some client-side libraries, including un-patched versions of OpenSSL, contain a vulnerability which can allow a man-in-the-middle (MITM) to force a TLS version downgrade.

Re: [openstack-dev] nominating Nathaniel Dillon for security-doc core

2015-03-05 Thread Nathan Kinder
On 03/05/2015 01:14 PM, Bryan D. Payne wrote: To security-doc core and other interested parties, Nathaniel Dillon has been working consistently on the security guide since our first mid-cycle meet up last summer. In that time he has come to understand the inner workings of the book and

[openstack-dev] [OSSN 0044] Older versions of noVNC allow session theft

2015-03-02 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Older versions of noVNC allow session theft - --- ### Summary ### Commonly packaged versions of noVNC allow an attacker to hijack user sessions even when TLS is enabled. noVNC fails to set the secure flag when setting cookies containing an

[openstack-dev] [OSSN 0047] Keystone does not validate that identity providers match federation mappings

2015-04-19 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Keystone does not validate that identity providers match federation mappings - --- ### Summary ### Keystone's OS-FEDERATION extension does not enforce a link between an identity provider and a federation mapping. This can lead to assertions or

[openstack-dev] [OSSN 0048] Glance method filtering does not work under certain conditions

2015-04-30 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glance method filtering does not work under certain conditions - --- ### Summary ### Glance is using the Python assert statement for validating the HTTP method type in its caching middleware for some image endpoints. The Python documentation states

[openstack-dev] [OSSN 0046] Setting services to debug mode can also set Pecan to debug

2015-05-11 Thread Nathan Kinder
Setting services to debug mode can also set Pecan to debug --- ### Summary ### When debug mode is set for a service using Pecan (via --debug or CONF.debug=True) Pecan is also set to debug. This can result in accidental information disclosures. ### Affected Services / Software ### Blazar,

Re: [openstack-dev] [Security] Nominating Michael McCune for Security CoreSec

2015-06-18 Thread Nathan Kinder
On 06/15/2015 09:16 AM, McPeak, Travis wrote: I¹d like to propose Michael McCune for CoreSec membership. I¹ve worked with Michael (elmiko) on numerous security tasks and bugs, and he has a great grasp on security concepts and is very active in the OpenStack security community. I think he

Re: [openstack-dev] [Security] Nominating Travis McPeak for Security CoreSec

2015-06-18 Thread Nathan Kinder
On 06/16/2015 02:28 AM, Clark, Robert Graham wrote: I’d like to nominate Travis for a CoreSec position as part of the Security project. - CoreSec team members support the VMT with extended consultation on externally reported vulnerabilities. Travis has been an active member of the

Re: [openstack-dev] [security] Nominating Mike McCune as Security-Doc Core

2015-05-22 Thread Nathan Kinder
On 05/19/2015 05:20 PM, Dillon, Nathaniel wrote: To the Security and Docs groups as well as other interested parties, I would like to nominate Mike McCune to the Security Guide core. He has been contributing to the Security Guide for about six months now, and he has been a consistent

[openstack-dev] [OSSN 0059] Trusted VM can be powered on untrusted hosts

2015-11-16 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Trusted VM can be powered on untrusted hosts - --- ### Summary ### A trusted VM that has been launched earlier on a trusted host can still be powered on from the same host even after the trusted host is compromised. ### Affected Services /

[openstack-dev] [OSSN 0057] DoS attack on Glance service can lead to interruption or disruption

2015-10-15 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 DoS attack on Glance service can lead to interruption or disruption - --- ### Summary ### The typical Glance workflow allows authenticated users to create an image and upload the image content in a separate step. This can be abused by malicious

[openstack-dev] [OSSN 0049] Nova ironic driver logs sensitive information while operating in debug mode

2015-07-07 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nova ironic driver logs sensitive information while operating in debug mode - --- ### Summary ### The password and authentication token configuration options for the ironic driver in nova are not marked as secret. The values of these options will be

[openstack-dev] [OSSN 0052] Python-swiftclient exposes raw token values in debug logs

2015-09-17 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Python-swiftclient exposes raw token values in debug logs - --- ### Summary ### The password and authentication token configuration options for the python-swiftclient are not marked as secret. The values of these options will be logged to the

[openstack-dev] [OSSN 0055] Service accounts may have cloud admin privileges

2015-09-17 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Service accounts may have cloud admin privileges - --- ### Summary ### OpenStack services (for example Nova and Glance) typically use a service account in Keystone to perform actions. In some cases this service account has full admin privileges,

[openstack-dev] [OSSN 0054] Potential Denial of Service in Horizon login

2015-09-17 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Potential Denial of Service in Horizon login - --- ### Summary ### Horizon uses the Python based Django web framework. Older versions of this framework allow an unauthorized user to fill up the session store database causing a Horizon denial of

[openstack-dev] [OSSN 0058] Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes

2015-09-17 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes - --- ### Summary ### When using the LVMISCSIDriver with Cinder, the credentials for CHAP authentication are not formatted correctly in the tgtadm configuration file. This

[openstack-dev] [OSSN 0056] Cached keystone tokens may be accepted after revocation

2015-09-17 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cached keystone tokens may be accepted after revocation - --- ### Summary ### Keystone auth_token middleware token and revocation list caching is used to reduce the load on the keystone service. The default token cache time is set to 300 seconds

[openstack-dev] [OSSN 0053] Keystone token disclosure may result in malicious trust creation

2015-09-23 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Keystone token disclosure may result in malicious trust creation - --- ### Summary ### Keystone tokens are the foundation of authentication and authorization in OpenStack. When a service node is compromised, it is possible that an attacker would

[openstack-dev] [OSSN 0061] Glance image signature uses an insecure hash algorithm (MD5)

2015-12-15 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Glance image signature uses an insecure hash algorithm (MD5) - --- ### Summary ### During the Liberty release the Glance project added a feature that supports verifying images by their signature. There is a flaw in the implementation that degrades

[openstack-dev] [OSSN 0062] Potential reuse of revoked Identity tokens

2015-12-15 Thread Nathan Kinder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Potential reuse of revoked Identity tokens - --- ### Summary ### An authorization token issued by the Identity service can be revoked, which is designed to immediately make that token invalid for future use. When the PKI or PKIZ token providers are

[openstack-dev] [OSSN 0063] Nova and Cinder key manager for Barbican misuses cached credentials

2016-06-09 Thread Nathan Kinder
Nova and Cinder key manager for Barbican misuses cached credentials --- ### Summary ### During the Icehouse release the Cinder and Nova projects added a feature that supports storage volume encryption using keys stored in Barbican. The Barbican key manager, that is part of Nova and Cinder, had a

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

2016-04-11 Thread Nathan Kinder
looks to me like OSSN-0056 was written during a mid-cycle and could be > the right one. > > > > I’m struggling to work out the story behind OSSN-0050 – I’m adding > Nathan Kinder who might be able to shed more light on this. It looks like that one was added to the wiki b