47 lines
1.6 KiB
Plaintext
47 lines
1.6 KiB
Plaintext
Configure Horizon to mitigate BREACH/CRIME attacks
|
|
---
|
|
|
|
### Summary ###
|
|
Horizon is vulnerable to BREACH/CRIME style chosen plaintext attacks in
|
|
it's default configuration.
|
|
|
|
### Affected Services / Software ###
|
|
Horizon, Django, Apache, Nginx, SSL, TLS
|
|
|
|
### Discussion ###
|
|
The BREACH attack may be used to compromise Django's cross-site request
|
|
forgery (CSRF) protection. OpenStack's Horizon web dashboard is built on
|
|
the Django framework, and is consequently affected. There is no fix
|
|
available in Horizon itself, but there are protection options.
|
|
|
|
BREACH takes advantage of vulnerabilities when serving compressed data
|
|
over SSL/TLS.
|
|
|
|
### Recommended Actions ###
|
|
Since BREACH is related to serving compressed data, disabling
|
|
compression of web responses can be used to mitigate these type of
|
|
attacks. Some methods for this include:
|
|
|
|
Disable Django's GZIP Middleware:
|
|
|
|
https://docs.djangoproject.com/en/dev/ref/middleware/#module-django.middleware.gzip
|
|
|
|
Disable GZip compression in your web server's config. For Apache httpd,
|
|
you can do this by disabling mod_deflate:
|
|
|
|
http://httpd.apache.org/docs/2.2/mod/mod_deflate.html
|
|
|
|
For Nginx, you can do this by disabling the gzip module:
|
|
|
|
http://wiki.nginx.org/HttpGzipModule
|
|
|
|
### Contacts / References ###
|
|
Author: Robert Clark, HP
|
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0037
|
|
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1209250
|
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
|
Django advice on BREACH :
|
|
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
|
|
More info on BREACH : http://breachattack.com/
|