Bugzilla – Bug 1199427
VUL-0: CVE-2022-1655: openstack-dashboard: OpenStack: Horizon session cookies are not flagged HttpOnly
Last modified: 2022-05-30 11:19:50 UTC
Description of problem:
- An internal security audit discovered that Horizon session cookies are being created without the HttpOnly flag even though we set HorizonSecureCookies to true in our environment files.
- According to the KCS article at https://access.redhat.com/solutions/4764241 the relevant Django flag should be set manually in the dashboard configuration file.
Version-Release number of selected component (if applicable):
- Red Hat OpenStack 16.2.1 (Z1)
- From the Customer point of view, the workaround described in KCS 4764241 is unacceptable because those modifications would get lost every time the overcloud configuration is updated by TripleO and it would require a manual intervention on all controllers followed by a restart of the dashboard.
- The customer expectation is a fix (set of HttpOnly via Tripleo) of this problem in a next Z stream of OSP 16.2
- OpenStack recommendations on Cookies, related to the OpenStack O&M Dashboard (Horizon GUI), are available at: https://docs.openstack.org/security-guide/dashboard/cookies.html
- In term of common consequences, connected to the missing HttpOnly flag in the Cookies related to the O&M OpenStack Dashboard (Horizon GUI), these could identified in these two areas 
 Confidentiality impact:
If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
 Integrity impact:
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/openstack-dashboard 12.0.5~dev6
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/openstack-dashboard 14.1.1~dev11
Looks like we already have this setting in our Horizon local_settings.py
SESSION_COOKIE_HTTPONLY = True
for both cloud 8  and cloud 9 .
Is this sufficient?
I think should be okay, thanks!