yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1606500] Re: Heat: template source URL allows network port scan

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date: Thu, 03 Nov 2016 02:55:38 -0000
Reply-to: Bug 1606500 <1606500@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

CVE has been requested with this affect line: <=5.0.3, >=6.0.0 <=6.1.0
and ==7.0.0

@Daniel, the bug is now public, feel free to submit patches to gerrit
for master (Ocata), Newton, Mikata and Liberty.

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  Launching a new Heat stack and giving the template from an URL like
  http://localhost:22
  
  Results in an error message like:
  
  ERROR: Could not retrieve template: Failed to retrieve template:
  ('Connection aborted.', BadStatusLine('SSH-2.0-OpenSSH_6.6.1\r\n',))
  
  This is a security issue as it allows users to scan the network for
  listening ports.
  
  heat CLI does not allow that:
  
  heat stack-create -u http://localhost:22 test
  [Errno 104] Connection reset by peer

** Information type changed from Private Security to Public Security

** Changed in: ossa
       Status: Incomplete => In Progress

** Changed in: horizon
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1606500

Title:
  Heat: template source URL allows network port scan

Status in heat:
  Triaged
Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Advisory:
  In Progress

Bug description:
  Launching a new Heat stack and giving the template from an URL like
  http://localhost:22

  Results in an error message like:

  ERROR: Could not retrieve template: Failed to retrieve template:
  ('Connection aborted.', BadStatusLine('SSH-2.0-OpenSSH_6.6.1\r\n',))

  This is a security issue as it allows users to scan the network for
  listening ports.

  heat CLI does not allow that:

  heat stack-create -u http://localhost:22 test
  [Errno 104] Connection reset by peer

To manage notifications about this bug go to:
https://bugs.launchpad.net/heat/+bug/1606500/+subscriptions