| 2021-02-09 19:10:25 |
Lucas Kanashiro |
bug |
|
|
added bug |
| 2021-02-09 19:10:40 |
Lucas Kanashiro |
nominated for series |
|
Ubuntu Bionic |
|
| 2021-02-09 19:10:40 |
Lucas Kanashiro |
bug task added |
|
fence-agents (Ubuntu Bionic) |
|
| 2021-02-09 19:10:40 |
Lucas Kanashiro |
nominated for series |
|
Ubuntu Groovy |
|
| 2021-02-09 19:10:40 |
Lucas Kanashiro |
bug task added |
|
fence-agents (Ubuntu Groovy) |
|
| 2021-02-09 19:10:40 |
Lucas Kanashiro |
nominated for series |
|
Ubuntu Focal |
|
| 2021-02-09 19:10:40 |
Lucas Kanashiro |
bug task added |
|
fence-agents (Ubuntu Focal) |
|
| 2021-02-09 19:10:53 |
Lucas Kanashiro |
fence-agents (Ubuntu): status |
New |
Fix Committed |
|
| 2021-02-09 20:54:01 |
Lucas Kanashiro |
description |
Last year, AWS released "IMDSv2" in an effort to protect customers against some potentially severe information leaks related to accidentally proxying this local data to the network. Details
at https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
IMDSv2 makes use of a session-based protocol, requiring clients to first retrieve a time-limited session token, and then to include that token with subsequent requests.
Because the intended purpose of IMDSv2 is to provide an additional layer of defense against network abuses, customers utilizing it may choose to disable IMDSv1. Disabling IMDSv2 today causes fence_aws to fail. |
[Impact]
This update is considered as a hardware enablement feature which will allow AWS users to make use of the IMDSv2 support recently added to fence-agents. This is an important security related feature recently introduced by AWS.
[Test Case]
TBD
[Where problems could occur]
All the patches needed change only the fence_aws.py file, so if a problem could occur it would affect only fence_aws.
[Original Description]
Last year, AWS released "IMDSv2" in an effort to protect customers against some potentially severe information leaks related to accidentally proxying this local data to the network. Details
at https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
IMDSv2 makes use of a session-based protocol, requiring clients to first retrieve a time-limited session token, and then to include that token with subsequent requests.
Because the intended purpose of IMDSv2 is to provide an additional layer of defense against network abuses, customers utilizing it may choose to disable IMDSv1. Disabling IMDSv2 today causes fence_aws to fail. |
|
| 2021-02-09 20:54:13 |
Lucas Kanashiro |
summary |
Backport the fence_aws support for IMDSv2 |
[SRU] Backport the fence_aws support for IMDSv2 |
|
| 2021-02-09 20:56:10 |
Lucas Kanashiro |
fence-agents (Ubuntu Bionic): status |
New |
In Progress |
|
| 2021-02-09 20:56:12 |
Lucas Kanashiro |
fence-agents (Ubuntu Focal): status |
New |
In Progress |
|
| 2021-02-09 20:56:16 |
Lucas Kanashiro |
fence-agents (Ubuntu Groovy): status |
New |
In Progress |
|
| 2021-02-09 20:56:22 |
Lucas Kanashiro |
fence-agents (Ubuntu Bionic): assignee |
|
Lucas Kanashiro (lucaskanashiro) |
|
| 2021-02-09 20:56:24 |
Lucas Kanashiro |
fence-agents (Ubuntu Focal): assignee |
|
Lucas Kanashiro (lucaskanashiro) |
|
| 2021-02-09 20:56:26 |
Lucas Kanashiro |
fence-agents (Ubuntu Groovy): assignee |
|
Lucas Kanashiro (lucaskanashiro) |
|
| 2021-02-09 20:56:29 |
Lucas Kanashiro |
fence-agents (Ubuntu): assignee |
|
Lucas Kanashiro (lucaskanashiro) |
|
| 2021-02-10 17:18:29 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/fence-agents/+git/fence-agents/+merge/397843 |
|
| 2021-02-10 17:19:11 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/fence-agents/+git/fence-agents/+merge/397844 |
|
| 2021-02-10 17:20:32 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/fence-agents/+git/fence-agents/+merge/397845 |
|
| 2021-02-10 17:21:51 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/fence-agents/+git/fence-agents/+merge/397846 |
|
| 2021-02-22 18:35:14 |
Dan Streetman |
bug |
|
|
added subscriber Dan Streetman |
| 2021-07-28 23:17:13 |
Brian Murray |
fence-agents (Ubuntu Groovy): status |
In Progress |
Won't Fix |
|
