Home / mailingsPDF  

[USN-2323-1] OpenStack Horizon vulnerabilities

Posted on 21 August 2014
Ubuntu Security

==========================
==========================
========================
Ubuntu Security Notice USN-2323-1
August 21, 2014

horizon vulnerabilities
==========================
==========================
========================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in OpenStack Horizon.

Software Description:
- horizon: Web interface for OpenStack cloud infrastructure

Details:

Jason Hullinger discovered that OpenStack Horizon did not properly perfor=
m
input sanitization on Heat templates. If a user were tricked into using a=

specially crafted Heat template, an attacker could conduct cross-site
scripting attacks. With cross-site scripting vulnerabilities, if a user
were tricked into viewing server output during a crafted server request, =
a
remote attacker could exploit this to modify the contents, or steal
confidential data, within the same domain. (CVE-2014-3473)

Craig Lorentzen discovered that OpenStack Horizon did not properly perfor=
m
input sanitization when creating networks. If a user were tricked into
launching an image using the crafted network name, an attacker could
conduct cross-site scripting attacks. (CVE-2014-3474)

Michael Xin discovered that OpenStack Horizon did not properly perform
input sanitization when adding users. If an admin user were tricked into
viewing the users page containing a crafted email address, an attacker
could conduct cross-site scripting attacks. (CVE-2014-3475)

Dennis Felsch and Mario Heiderich discovered that OpenStack Horizon did n=
ot
properly perform input sanitization when creating host aggregates. If an
admin user were tricked into viewing the Host Aggregates page containing =
a
crafted availability zone name, an attacker could conduct cross-site
scripting attacks. (CVE-2014-3594)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
openstack-dashboard 1:2014.1.2-0ubuntu1.1

In general, a standard system update will make all the necessary changes.=


References:
http://www.ubuntu.com/usn/usn-2323-1
CVE-2014-3473, CVE-2014-3474, CVE-2014-3475, CVE-2014-3594

Package Information:
https://launchpad.net/ubuntu/+source/horizon/1:2014.1.2-0ubuntu1.1

 

TOP

Mailings :

Exploits :