Jump to: navigation, search

Difference between revisions of "OSSN/OSSN-0093"

m (embolden the date)
(switch to an indeterminate disclosure timeline for now)
Line 3: Line 3:
 
=== Summary ===
 
=== Summary ===
  
A severe security vulnerability in all versions of the Murano service will be disclosed on '''Thursday, March 14, 2024'''. Murano is an inactive project, so no fix is currently under development for this vulnerability. It is strongly recommended that any OpenStack deployments disable or fully remove Murano, if installed, before that date. This security note will be amended at the time of public disclosure to include further details and context, but '''action should be taken prior to March 14''' in order to minimize the risk it poses.
+
A severe security vulnerability in all versions of the Murano service will be disclosed at a later date. Murano is an inactive project, so no fix is currently under development for this vulnerability. It is strongly recommended that any OpenStack deployments disable or fully remove Murano, if installed, at the earliest opportunity. This security note will be amended at the time of public disclosure to include further details and context, but '''action should be taken as soon as possible''' in order to minimize the risk it poses.
  
 
=== Affected Services / Software ===  
 
=== Affected Services / Software ===  
Line 11: Line 11:
 
=== Discussion ===  
 
=== Discussion ===  
  
This security note is a redacted placeholder, and will be amended on '''Thursday, March 14, 2024''' with complete details.
+
This security note is a redacted placeholder, and will be amended with complete details once the associated bug report becomes public.
  
 
===  Recommended Actions ===  
 
===  Recommended Actions ===  

Revision as of 15:47, 7 March 2024

Unresolved Vulnerability in Murano

Summary

A severe security vulnerability in all versions of the Murano service will be disclosed at a later date. Murano is an inactive project, so no fix is currently under development for this vulnerability. It is strongly recommended that any OpenStack deployments disable or fully remove Murano, if installed, at the earliest opportunity. This security note will be amended at the time of public disclosure to include further details and context, but action should be taken as soon as possible in order to minimize the risk it poses.

Affected Services / Software

Murano

Discussion

This security note is a redacted placeholder, and will be amended with complete details once the associated bug report becomes public.

Recommended Actions

Disable the Murano service in, or fully remove it from, all OpenStack deployments at the earliest opportunity.

Contacts / References

Author:

  • Jeremy Stanley, OpenStack Vulnerability Coordinator


This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0093

Original LaunchPad Bug : https://launchpad.net/bugs/2048114 (not yet public)

Mailing List : [security-sig] openstack-discuss@lists.openstack.org

Retrieved from "https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0093&oldid=184481"