security.openstack.org Open in urlscan Pro
2001:4800:7818:103:be76:4eff:fe01:f37d  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Toggle navigation

Search
suggested results


No results found for “”
 * suggested results
   
   
   No results found for “”
 * Software
   * Overview
   * OpenStack Components
   * SDKs
   * Deployment Tools
   * OpenStack Map
   * Sample Configs
 * Use Cases
   * Users in Production
   * 
   * Ironic Bare Metal
   * Edge Computing
   * Telecom & NFV
   * Science and HPC
   * Containers
   * Enterprise
   * User Survey
 * Events
   * Open Infrastructure Summits
   * Project Teams Gathering
   * OpenDev
   * Community Events
   * OpenStack & OpenInfra Days
   * Summit Videos
 * Community
   * Welcome! Start Here
   * OpenStack Technical Committee
   * Speakers Bureau
   * OpenStack Wiki
   * Get Certified (COA)
   * Jobs
   * Marketing Resources
   * Community News
   * Superuser Magazine
   * 
   * OpenInfra Foundation Supporting Organizations
   * Open Infrastructure Foundation (OpenInfra Foundation)
 * Marketplace
   * Training
   * Distros & Appliances
   * Public Clouds
   * Hosted Private Clouds
   * Remotely Managed Private Clouds
   * Consulting & Integrators
   * Drivers
 * Blog
 * Docs
 * Join
   * Sign up for Foundation Membership
   * Sponsor the Foundation
   * More about the Foundation
 * Log In


OPENSTACK SECURITY




OPENSTACK SECURITY¶



Security is a fundamental goal of the OpenStack architecture and needs to be
addressed at all layers of the stack. Like any complex, evolving system security
has to be vigilantly pursued, and exposures eliminated. We need your help.

OpenStack has two mechanisms for communicating security information with
downstream stakeholders, “Advisories” and “Notes”. OpenStack Security Advisories
(OSSA) are created to deal with severe security issues in OpenStack for which a
fix is available - OSSA’s are issued by the OpenStack Vulnerability Management
Team (VMT). OpenStack Security Notes (OSSN) are used for security issues which
do not qualify for an advisory, typically design issues, deployment and
configuration vulnerabilities.


HOW TO REPORT SECURITY ISSUES TO OPENSTACK¶

For detailed vulnerability reporting instructions, see How to report security
issues to OpenStack.


VULNERABILITY MANAGEMENT TEAM¶

See Vulnerability Management Team for the list of OpenStack Vulnerability
Managers.


SECURITY INFORMATION FOR OPENSTACK DEPLOYERS¶

There are four main sources of security guidance for OpenStack deployers:

 * OpenStack Security Advisories (OSSA)

 * OpenStack Security Notes (OSSN)

 * OpenStack Security Guide


OPENSTACK SECURITY ADVISORIES (OSSA)¶

Recent OSSAs:

 * OSSA-2024-002: Incomplete file access fix and regression for QCOW2 backing
   files and VMDK flat descriptors
 * OSSA-2024-001: Arbitrary file access through custom QCOW2 external data
 * OSSA-2023-003: Unauthorized volume access through deleted volume attachments
 * OSSA-2023-002: Arbitrary file access through custom VMDK flat descriptor
 * OSSA-2023-001: Arbitrary file access through custom S3 XML entities

You can find the complete list of published advisories here:

 * OpenStack Security Advisories


OPENSTACK SECURITY NOTES¶

Security Notes advise users of security related issues. Security notes are
similar to advisories; they often address vulnerabilities in third party tools
typically used within OpenStack deployments and provide guidance on common
configuration mistakes that can result in an insecure operating environment.

The complete set of security notes is available online, but they are also
published on the OpenStack mailing list when they are released.


OPENSTACK SECURITY GUIDE¶

The OpenStack Security Guide provides best practice information for OpenStack
deployers. This guide was written by a community of security experts from the
OpenStack Security Project, based on experience gained while hardening OpenStack
deployments. The guide covers topics including compute and storage hardening,
rate limiting, compliance, and cryptography; it is the starting point for anyone
looking to securely deploy OpenStack.

Read the guide online today.


SECURITY INFORMATION FOR OPENSTACK DEVELOPERS¶


HOW TO PROPOSE AND REVIEW A SECURITY PATCH¶

 
Note



The patch development and review process for security patches is different from
normal patches in OpenStack. Because the gerrit review process is public, all
security bugs must have patches proposed to and reviewed in the StoryBoard or
Launchpad report comments.

After a patch for the reported bug has been developed locally, you the patch
author need to share that with the community. This is a simple process, but it
is different than the normal OpenStack workflow.

 * Export it using the format-patch command:
   
   git format-patch --stdout HEAD~1 >path/to/local/file.patch
   
   
   Now you have the patch saved locally and you can attach it in a comment on
   the bug page.

 * For reviewers, to review that attached patch, run the following command:
   
   git am <~path/to/local/file.patch
   
   
   This applies the patch locally as a commit, including the commit message,
   author, date, and all other metadata. However, if the patch author did not
   use format-patch to export the patch (perhaps they only used git show
   >local.patch), then the patch can be applied locally with:
   
   git apply path/to/local/file.patch
   


SECURE DEVELOPMENT GUIDELINES¶

The OpenStack security team have collaboratively developed this set of
guidelines and best practices to help avoid common mistakes that lead to
security vulnerabilities within the OpenStack platform.

 * Apply Restrictive File Permissions
 * Avoid dangerous file parsing and object serialization libraries
 * Python Pipes to Avoid Shells
 * Unvalidated URL redirect
 * Use CSRF tokens to avoid CSRF attacks
 * Escape user input to prevent XSS attacks
 * Use secure channels for transmitting data
 * Parameterize Database Queries
 * Protect sensitive data in config files from disclosure
 * Using Rootwrap in OpenStack
 * Use Strong and Established Cryptographic Elements
 * Use oslo rootwrap securely
 * Use subprocess securely
 * Restrict path access to prevent path traversal
 * Create, use, and remove temporary files securely
 * Validate certificates on HTTPS connections to avoid man-in-the-middle attacks


this page last updated: 2024-02-27 17:10:09

Except where otherwise noted, this document is licensed under Creative Commons
Attribution 3.0 License. See all OpenStack Legal Documents.

found an error? report a bug
OpenStack Documentation
 * Guides
 * Install Guides
 * User Guides
 * Configuration Guides
 * Operations and Administration Guides
 * API Guides
 * Contributor Guides
 * Languages
 * Deutsch (German)
 * Français (French)
 * Bahasa Indonesia (Indonesian)
 * Italiano (Italian)
 * 日本語 (Japanese)
 * 한국어 (Korean)
 * Português (Portuguese)
 * Türkçe (Türkiye)
 * 简体中文 (Simplified Chinese)

CONTENTS

 * OpenStack Security
   * How to report security issues to OpenStack
     * Vulnerability Management Team
   * Security information for OpenStack deployers
     * OpenStack Security Advisories (OSSA)
     * OpenStack Security Notes
     * OpenStack Security Guide
   * Security information for OpenStack developers
     * How to propose and review a security patch
     * Secure development guidelines


OPENSTACK

 * Projects
 * OpenStack Security
 * Blog
 * News


COMMUNITY

 * User Groups
 * Events
 * Jobs
 * Companies
 * Contribute


DOCUMENTATION

 * OpenStack Manuals
 * Getting Started
 * API Documentation
 * Wiki


BRANDING & LEGAL

 * Legal Docs
 * Logos & Guidelines
 * Trademark Policy
 * Privacy Policy
 * OpenInfra CLA


STAY IN TOUCH

The OpenStack project is provided under the Apache 2.0 license.
Docs.openstack.org is powered by Rackspace Cloud Computing.