yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

That said, documentation recommends setting up 0.0.0.0 so that "live
migration can work":

http://docs.openstack.org/admin-guide-cloud/content/section_configuring-compute-migrations.html
"You must specify vncserver_listen=0.0.0.0 or live migration will not work correctly."

http://docs.openstack.org/admin-guide-cloud/content/nova-vncproxy-replaced-with-nova-novncproxy.html
"To connect the service to your Compute deployment, add the following configuration options to your nova.conf file:
    vncserver_listen=0.0.0.0"
"To use live migration, use the 0.0.0.0 address."

** Information type changed from Private Security to Public Security

** Also affects: openstack-manuals
   Importance: Undecided
       Status: New

** Summary changed:

- VMs are being taken over through a VNC proxy exploit
+ Specific config setting may result in VMs being taken over through VNC

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1435386

Title:
  Specific config setting may result in VMs being taken over through VNC

Status in OpenStack Compute (Nova):
  Invalid
Status in OpenStack Manuals:
  New
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  Jonathan Hogg from Chargebox reports (edited):

  On a single-machine cloud running OpenStack Icehouse and over the last
  week we have seen compromises of all of the Ubuntu 14.04 VMs running
  on the machine. Scenario shows the attacker gaining access through VNC
  (via controlled reboot to reset root password).

  QEMU instances are running with -vnc 0.0.0.0:1, which may or may not
  be the issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1435386/+subscriptions