Bug 885588 (CVE-2014-3473) - VUL-0: CVE-2014-3473: openstack-dashboard: Multiple XSS Vulnerabilities in Horizon
Summary: VUL-0: CVE-2014-3473: openstack-dashboard: Multiple XSS Vulnerabilities in Ho...
Status: RESOLVED FIXED
Alias: CVE-2014-3473
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-07-21
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3-uptu:58752
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-03 05:40 UTC by Victor Pereira
Modified: 2015-02-19 01:50 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch for juno (7.65 KB, patch)
2014-07-03 05:40 UTC, Victor Pereira 		Details | Diff
patch for havana (7.95 KB, patch)
2014-07-03 05:41 UTC, Victor Pereira 		Details | Diff
patch for icehouse (7.65 KB, patch)
2014-07-03 05:41 UTC, Victor Pereira 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-07-03 05:40:36 UTC 
Created attachment 597110 [details]
patch for juno

CVE-2014-3473, CVE-2014-3474 and CVE-2014-3475

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: Multiple XSS vulnerabilities in Horizon
Reporter: Jason Hullinger (HP),
          Craig Lorentzen (Cisco),
          Michael Xin     (Rackspace)
Products: Horizon
Versions: up to 2013.2.3, and 2014.1

Description:
Jason Hullinger from Hewlett Packard, Craig Lorentzen from Cisco and
Michael Xin from Rackspace reported 3 cross-site scripting (XSS)
vulnerabilities in Horizon. A malicious Orchestration template owner or
catalog may conduct an XSS attack once a corrupted template is used in
the Orchestration/Stack section of Horizon (CVE-2014-3473). A malicious
Horizon user may store an XSS attack by creating a network with a
corrupted name (CVE-2014-3474). A malicious Horizon administrator may
store an XSS attack by creating a user with a corrupted email address
(CVE-2014-3475). Once executed in a legitimate context these attacks may
result in potential asset stealing (horizon user/admin access
credentials, VMs/Network configuration/management, tenants' confidential
information, etc.). All Horizon setups are affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/havana, stable/icehouse and master (Juno
development branch) on the public disclosure date.

CVE: CVE-2014-3473, CVE-2014-3474 and CVE-2014-3475

Proposed public disclosure date/time:
2014-07-08, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.

Regards,

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team
Comment 5 Swamp Workflow Management 2014-07-03 22:00:10 UTC 
bugbot adjusting priority
Comment 6 Swamp Workflow Management 2014-07-07 11:41:36 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-07-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58190
Comment 7 SMASH SMASH 2014-07-07 11:45:17 UTC 
Affected packages:

SLE-11-SP2-PRODUCTS: openstack-dashboard
SLE-11-SP3: openstack-dashboard
SLE-11-SP3-CLOUD4: openstack-dashboard
SLE-11-SP3-PRODUCTS: openstack-dashboard
SLE-11-SP3-UPTU: openstack-dashboard
Comment 8 Bernhard Wiedemann 2014-07-10 06:12:42 UTC 
not yet landed in Havana
https://review.openstack.org/#/q/Ic8a92e69f66c2d265a802f350e30f091181aa42e,n,z
Comment 10 Bernhard Wiedemann 2014-12-12 14:00:36 UTC 
This is an autogenerated message for OBS integration:
This bug (885588) was mentioned in
https://build.opensuse.org/request/show/265000 13.1 / openstack-dashboard
Comment 11 Victor Pereira 2014-12-16 09:08:54 UTC 
released
Comment 12 Swamp Workflow Management 2015-01-19 13:05:48 UTC 
openSUSE-SU-2015:0078-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 852175,869696,871855,885588,891815,908199
CVE References: CVE-2013-6858,CVE-2014-0157,CVE-2014-3473,CVE-2014-3474,CVE-2014-3475,CVE-2014-3594,CVE-2014-8124
Sources used:
openSUSE 13.1 (src):    openstack-dashboard-2013.2.5.dev2.g9ee7273-4.1, python-django_openstack_auth-1.1.3-4.1