Home / mailings [USN-2323-1] OpenStack Horizon vulnerabilities
Posted on 21 August 2014
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-2323-1
August 21, 2014
horizon vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in OpenStack Horizon.
Software Description:
- horizon: Web interface for OpenStack cloud infrastructure
Details:
Jason Hullinger discovered that OpenStack Horizon did not properly perfor=
m
input sanitization on Heat templates. If a user were tricked into using a=
specially crafted Heat template, an attacker could conduct cross-site
scripting attacks. With cross-site scripting vulnerabilities, if a user
were tricked into viewing server output during a crafted server request, =
a
remote attacker could exploit this to modify the contents, or steal
confidential data, within the same domain. (CVE-2014-3473)
Craig Lorentzen discovered that OpenStack Horizon did not properly perfor=
m
input sanitization when creating networks. If a user were tricked into
launching an image using the crafted network name, an attacker could
conduct cross-site scripting attacks. (CVE-2014-3474)
Michael Xin discovered that OpenStack Horizon did not properly perform
input sanitization when adding users. If an admin user were tricked into
viewing the users page containing a crafted email address, an attacker
could conduct cross-site scripting attacks. (CVE-2014-3475)
Dennis Felsch and Mario Heiderich discovered that OpenStack Horizon did n=
ot
properly perform input sanitization when creating host aggregates. If an
admin user were tricked into viewing the Host Aggregates page containing =
a
crafted availability zone name, an attacker could conduct cross-site
scripting attacks. (CVE-2014-3594)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
openstack-dashboard 1:2014.1.2-0ubuntu1.1
In general, a standard system update will make all the necessary changes.=
References:
http://www.ubuntu.com/usn/usn-2323-1
CVE-2014-3473, CVE-2014-3474, CVE-2014-3475, CVE-2014-3594
Package Information:
https://launchpad.net/ubuntu/+source/horizon/1:2014.1.2-0ubuntu1.1