settingsLogin | Registersettings

[openstack-announce] [OSSA 2015-005] Nova console Cross-Site WebSocket hijacking (CVE-2015-0259)

0 votes

==========================================================
OSSA-2015-005: Nova console Cross-Site WebSocket hijacking
==========================================================

:Date: March 13, 2015
:CVE: CVE-2015-0259

Affects
~~~~~~~
- Nova: up to 2014.1.3 and 2014.2 versions up to 2014.2.2

Description
~~~~~~~~~~~
Brian Manifold from Cisco and Paul McMillan from Nebula reported a
vulnerability in Nova console websocket. By tricking an authenticated
user into visiting a malicious URL, a remote attacker or a man in the
middle may exploit a cross-site-websocket-hijacking vulnerability
resulting in potential hijack of consoles where the user is still
logged in. Only Nova setups with vnc or spice enabled are affected.

Patches
~~~~~~~
- https://review.openstack.org/163035 (Icehouse)
- https://review.openstack.org/163034 (Juno)
- https://review.openstack.org/163033 (Kilo)

Credits
~~~~~~~
- Brian Manifold from Cisco (CVE-2015-0259)
- Paul McMillan from Nebula (CVE-2015-0259)

References
~~~~~~~~~~
- https://launchpad.net/bugs/1409142
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0259

Notes
~~~~~
- This fix is included in 2014.1.4 (icehouse) release and it will be included
in the kilo-3 development milestone and in the future 2014.2.3 (juno)
release.

--
Tristan Cacqueray
OpenStack Vulnerability Management Team


OpenStack-announce mailing list
OpenStack-announce@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce

asked Mar 13, 2015 in openstack-announce by Tristan_Cacqueray (4,240 points)   3 6

1 Response

0 votes

That's great .
Thanks to Tristan and paul.

Regards
Jitendra
+91-9989743042

On Fri, Mar 13, 2015 at 11:16 PM, Tristan Cacqueray <
tristan.cacqueray@enovance.com> wrote:

==========================================================
OSSA-2015-005: Nova console Cross-Site WebSocket hijacking
==========================================================

:Date: March 13, 2015
:CVE: CVE-2015-0259

Affects
~~~~~~~
- Nova: up to 2014.1.3 and 2014.2 versions up to 2014.2.2

Description
~~~~~~~~~~~
Brian Manifold from Cisco and Paul McMillan from Nebula reported a
vulnerability in Nova console websocket. By tricking an authenticated
user into visiting a malicious URL, a remote attacker or a man in the
middle may exploit a cross-site-websocket-hijacking vulnerability
resulting in potential hijack of consoles where the user is still
logged in. Only Nova setups with vnc or spice enabled are affected.

Patches
~~~~~~~
- https://review.openstack.org/163035 (Icehouse)
- https://review.openstack.org/163034 (Juno)
- https://review.openstack.org/163033 (Kilo)

Credits
~~~~~~~
- Brian Manifold from Cisco (CVE-2015-0259)
- Paul McMillan from Nebula (CVE-2015-0259)

References
~~~~~~~~~~
- https://launchpad.net/bugs/1409142
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0259

Notes
~~~~~
- This fix is included in 2014.1.4 (icehouse) release and it will be
included
in the kilo-3 development milestone and in the future 2014.2.3 (juno)
release.

--
Tristan Cacqueray
OpenStack Vulnerability Management Team


Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Mar 13, 2015 by Jitendra_Kumar_Bhask (340 points)   1
...