Jump to: navigation, search

Difference between revisions of "OSSN/OSSN-0101"

(Add OSSN-0101)
 
(Affected Services / Software)
 
Line 10: Line 10:
  
 
== Affected Services / Software ==
 
== Affected Services / Software ==
* nova: >=12.0.0
+
* nova >=12.0.0 <31.3.2, >=32.0.0 <32.2.2, >=33.0.0 <33.0.3
  
 
== Discussion ==
 
== Discussion ==

Latest revision as of 18:33, 9 July 2026

Nova console WebSocket proxy Origin allow-list poisoning

Summary

The Nova console WebSocket proxy mutates a shared, process-global oslo.config allowed_origins list on every incoming request by appending the client-controlled Host header value. Because oslo.config returns a cached list object, these appends persist for the lifetime of the proxy process. This permanently weakens the cross-origin protection on the console proxy and causes unbounded memory growth.

Affected Services / Software

  • nova >=12.0.0 <31.3.2, >=32.0.0 <32.2.2, >=33.0.0 <33.0.3

Discussion

On each request, the proxy appends the Host header to CONF.console.allowed_origins to allow the proxy's own hostname. This mutates the shared oslo.config cached list rather than operating on a copy, so any Host value ever seen is retained permanently for the life of the process.

An unauthenticated attacker can inject arbitrary hostnames into the allow-list by sending requests with crafted Host headers, defeating the Origin check for all subsequent requests. The unbounded list growth also enables a slow memory exhaustion DoS.

Recommended Actions

Apply the provided Nova patches. The fix copies the config list before appending, so mutations do not persist across requests.

Patches

The following reviews contain the fix for this issue:

Credits

Sergey r0binak Kanibor, Luntry

Contacts / References

  • Authors: Goutham Pacha Ravi, Red Hat