kolla-ansible

apache server-status is open on almost all http openstack services

  1. Series zed
  2. Bug #1996913
Bug #1996913 reported by Cyril Lopez
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Status tracked in Bobcat
Antelope
Fix Committed
High
Maksim Malchuk
Bobcat
Fix Released
High
Maksim Malchuk
Wallaby
Won't Fix
High
Maksim Malchuk
Xena
Fix Released
High
Maksim Malchuk
Yoga
Fix Committed
High
Maksim Malchuk
Zed
Fix Committed
High
Maksim Malchuk

Bug Description

By default, in docker server-status is restricted to local network but as HAPROXY is in local network, it make it available for everyone.

if you google kolla server-status, you will find some kolla deployment indexed....

server-status should restricted to localhost.

Apache2 config applied :

<Location /server-status>
    SetHandler server-status
    Require local
    #Require ip 192.0.2.0/24
</Location>

Affected only Ubuntu/Debian installations.

See original description
Tags: horrizon
Revision history for this message
Cyril Lopez (cylopez) wrote :

I did a quick fix by adding a rule in haproxy public horizon :

frontend horizon_external_front
    mode http
    http-request del-header X-Forwarded-Proto
    use_backend acme_client_back if { path_reg ^/.well-known/acme-challenge/.+ }
    option httplog
    option forwardfor
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    bind XXXXXXXX:443 ssl crt /etc/haproxy/haproxy.pem
    default_backend horizon_external_back
+ http-request deny if { path -i -m beg /server-status }

Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/888943

Changed in kolla-ansible:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Maksim Malchuk (mmalchuk)
Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

Setting to public security since a patch has been submitted to gerrit.

information type: Private Security → Public Security
Revision history for this message
Bartosz Bezak (bbezak) wrote :

I did a quick check and I was not able to use horizon/server-status with victoria and yoga kayobe/kolla-ansible deployments:

curl https://openstack/server-status

404:
...
<h2 id="page_heading">Sorry, the page you were looking for does not exist</h2>
...

Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

Bartosz, your deployments maybe don't have external backend in haproxy for horizon? check configuration.
I my case 3 controller nodes with an external public endpoint is affected in Xena, so Yoga is affected too atleast. Victoria EOL so not interested.

Maksim Malchuk (mmalchuk)
summary: - apache server-status is open on horizon
+ apache server-status is open on almost all http openstack services
description: updated
Revision history for this message
Michal Nasiadka (mnasiadka) wrote :

Maksim, of course we have external backend in haproxy for horizon, still we get 404 - it's Yoga.
I'd need steps to reproduce - even the internal backend does not respond to /server-status.

Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

As discussed in the review, this is an issue with Ubuntu/Debian only, where mod_status installed and enabled by default.

description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/888943
Committed: https://opendev.org/openstack/kolla-ansible/commit/e365f4b70dc9d4871c8dfbab3c0f1fee50d6fee9
Submitter: "Zuul (22348)"
Branch: master

commit e365f4b70dc9d4871c8dfbab3c0f1fee50d6fee9
Author: Maksim Malchuk <email address hidden>
Date: Tue Aug 8 11:35:55 2023 +0300

    Deny access to public /server-status in http Openstack services

    This change block access to the public /server-status url on all
    http services exposed by HAProxy, also fixes an issue with Horizon
    where 'Require all granted' open access to the /server-status in
    the HAProxy-less configurations. Without this change the issue
    affects only Ubuntu/Debian installations where mod_status in Apache2
    enabled by default.

    Closes-Bug: #1996913
    Change-Id: I3ec1af6353c3ecc64589599abe375b0ae9b14d5c
    Signed-off-by: Maksim Malchuk <email address hidden>

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/890857

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/890858

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/890859

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/890860

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/890857
Committed: https://opendev.org/openstack/kolla-ansible/commit/817d92fa387ccaf2393392a1bf05cf86461fc612
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 817d92fa387ccaf2393392a1bf05cf86461fc612
Author: Maksim Malchuk <email address hidden>
Date: Tue Aug 8 11:35:55 2023 +0300

    Deny access to public /server-status in http Openstack services

    This change block access to the public /server-status url on all
    http services exposed by HAProxy, also fixes an issue with Horizon
    where 'Require all granted' open access to the /server-status in
    the HAProxy-less configurations. Without this change the issue
    affects only Ubuntu/Debian installations where mod_status in Apache2
    enabled by default.

    Closes-Bug: #1996913
    Change-Id: I3ec1af6353c3ecc64589599abe375b0ae9b14d5c
    Signed-off-by: Maksim Malchuk <email address hidden>
    (cherry picked from commit e365f4b70dc9d4871c8dfbab3c0f1fee50d6fee9)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/890858
Committed: https://opendev.org/openstack/kolla-ansible/commit/f381fb54886aa6da94a4fc858b8bd8ec266d214a
Submitter: "Zuul (22348)"
Branch: stable/zed

commit f381fb54886aa6da94a4fc858b8bd8ec266d214a
Author: Maksim Malchuk <email address hidden>
Date: Tue Aug 8 11:35:55 2023 +0300

    Deny access to public /server-status in http Openstack services

    This change block access to the public /server-status url on all
    http services exposed by HAProxy, also fixes an issue with Horizon
    where 'Require all granted' open access to the /server-status in
    the HAProxy-less configurations. Without this change the issue
    affects only Ubuntu/Debian installations where mod_status in Apache2
    enabled by default.

    Closes-Bug: #1996913
    Change-Id: I3ec1af6353c3ecc64589599abe375b0ae9b14d5c
    Signed-off-by: Maksim Malchuk <email address hidden>
    (cherry picked from commit e365f4b70dc9d4871c8dfbab3c0f1fee50d6fee9)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/890860
Committed: https://opendev.org/openstack/kolla-ansible/commit/b037e7f9c7672aa75373724bf84cfc3c8f6277b6
Submitter: "Zuul (22348)"
Branch: stable/xena

commit b037e7f9c7672aa75373724bf84cfc3c8f6277b6
Author: Maksim Malchuk <email address hidden>
Date: Tue Aug 8 11:35:55 2023 +0300

    Deny access to public /server-status in http Openstack services

    This change block access to the public /server-status url on all
    http services exposed by HAProxy, also fixes an issue with Horizon
    where 'Require all granted' open access to the /server-status in
    the HAProxy-less configurations. Without this change the issue
    affects only Ubuntu/Debian installations where mod_status in Apache2
    enabled by default.

    Closes-Bug: #1996913
    Change-Id: I3ec1af6353c3ecc64589599abe375b0ae9b14d5c
    Signed-off-by: Maksim Malchuk <email address hidden>
    (cherry picked from commit e365f4b70dc9d4871c8dfbab3c0f1fee50d6fee9)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/890859
Committed: https://opendev.org/openstack/kolla-ansible/commit/893b806279fa01ee0515e0aa5ab9329dd1d11f30
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 893b806279fa01ee0515e0aa5ab9329dd1d11f30
Author: Maksim Malchuk <email address hidden>
Date: Tue Aug 8 11:35:55 2023 +0300

    Deny access to public /server-status in http Openstack services

    This change block access to the public /server-status url on all
    http services exposed by HAProxy, also fixes an issue with Horizon
    where 'Require all granted' open access to the /server-status in
    the HAProxy-less configurations. Without this change the issue
    affects only Ubuntu/Debian installations where mod_status in Apache2
    enabled by default.

    Closes-Bug: #1996913
    Change-Id: I3ec1af6353c3ecc64589599abe375b0ae9b14d5c
    Signed-off-by: Maksim Malchuk <email address hidden>
    (cherry picked from commit e365f4b70dc9d4871c8dfbab3c0f1fee50d6fee9)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible xena-eol

This issue was fixed in the openstack/kolla-ansible xena-eol release.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.