Bug 991461 (CVE-2016-9185) - VUL-0: CVE-2016-9185: openstack-glance, openstack-heat: port scanning internal structure possible by cloud hosts
Summary: VUL-0: CVE-2016-9185: openstack-glance, openstack-heat: port scanning interna...
Status: RESOLVED FIXED
Alias: CVE-2016-9185
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2016-9185:4.0:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-01 11:44 UTC by Marcus Meissner
Modified: 2018-10-21 14:45 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Marcus Meissner 2016-11-18 16:22:47 UTC 
==============================================================================
OSSA-2016-013: Network information disclosure through Heat template
source URL
==============================================================================

:Date: November 18, 2016
:CVE: CVE-2016-9185


Affects
~~~~~~~
- Heat: <=5.0.3, >=6.0.0 <=6.1.0 and ==7.0.0


Description
~~~~~~~~~~~
Tom Patzig from SAP reported a vulnerability in Heat. By launching a
new Heat stack with a local URL an authenticated user may conduct
network discovery revealing internal network configuration. All Heat
setup are affected.


Patches
~~~~~~~
- https://review.openstack.org/393149 (Liberty)
- https://review.openstack.org/393148 (Mitaka)
- https://review.openstack.org/393147 (Newton)
- https://review.openstack.org/393146 (Ocata)


Credits
~~~~~~~
- Tom Patzig from SAP (CVE-2015-9185)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1606500
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9185

--
Tristan Cacqueray
OpenStack Vulnerability Management Team
Comment 5 Marcus Meissner 2016-12-21 13:30:20 UTC 
*** Bug 991267 has been marked as a duplicate of this bug. ***
Comment 6 alex runge 2017-01-09 15:44:57 UTC 
(In reply to Marcus Meissner from comment #5)
> *** Bug 991267 has been marked as a duplicate of this bug. ***

It appears the fix silently made it into SOC6:

root@controller1:~ # rpm -qi --changelog python-heat | less
Name        : python-heat
Version     : 5.0.4~a0~dev1
Release     : 12.1
Architecture: noarch
Install Date: Tue 20 Dec 2016 03:42:42 PM CET
Group       : Development/Languages/Python
Size        : 12558192
License     : Apache-2.0
Signature   : RSA/SHA256, Wed 16 Nov 2016 11:14:11 AM CET, Key ID 70af9e8139db7c82
Source RPM  : openstack-heat-5.0.4~a0~dev1-12.1.src.rpm
Build Date  : Wed 16 Nov 2016 11:13:38 AM CET
Build Host  : sheep12
Relocations : (not relocatable)
Packager    : https://www.suse.com/
Vendor      : SUSE LLC <https://www.suse.com/>
URL         : https://launchpad.net/heat
Summary     : Openstack Orchestration (Heat) - Python module
Description :
This package contains the core Python module of OpenStack Heat.
Distribution: SUSE Linux Enterprise 12
* Fri Nov 04 2016 cloud-devel@suse.de
- Update to version heat-5.0.4.dev1:
  * Prevent template validate from scanning ports
  5.0.3
Comment 7 Dirk Mueller 2017-02-01 11:16:26 UTC 
The CVE and bug number are mentioned in the changelog, nothing left to be done from our side.
Comment 8 Johannes Segitz 2018-10-10 11:32:34 UTC 
fixed