Vulnerability awareness

OpenStack vulnerability management team

We recommend keeping up to date on security issues and advisories as they are published. The OpenStack Security Portal is the central portal where advisories, notices, meetings, and processes can be coordinated. Additionally, the OpenStack Vulnerability Management Team (VMT) portal coordinates remediation within OpenStack, as well as the process of investigating reported bugs which are responsibly disclosed (privately) to the VMT, by marking the bug as ‘This bug is a security vulnerability’. Further detail is outlined in the VMT process page and results in an OpenStack Security Advisory (OSSA). This OSSA outlines the issue and the fix, as well as linking to both the original bug, and the location where the where the patch is hosted.

OpenStack security notes

Reported security bugs that are found to be the result of a misconfiguration, or are not strictly part of OpenStack, are drafted into OpenStack Security Notes (OSSNs). These include configuration issues such as ensuring identity provider mappings as well as non-OpenStack, but critical, issues such as the Bashbug/Ghost or Venom vulnerabilities that affect the platform OpenStack utilizes. The current set of OSSNs is in the Security Note wiki.

OpenStack-discuss mailing list

All bugs, OSSAs and OSSNs are publicly disseminated through the openstack-discuss mailing list with the [security] topic in the subject line. We recommend subscribing to this list as well as mail filtering rules that ensure OSSNs, OSSAs, and other important advisories are not missed. The openstack-discuss mailinglist is managed through http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-discuss. The openstack-discuss uses tags as defined in the Project Team Guide.

Hypervisor mailinglists

When implementing OpenStack, one of the core decisions is which hypervisor to utilize. We recommend being informed of advisories pertaining to the hypervisor(s) you have chosen. Several common hypervisor security lists are below:

Xen:

http://xenbits.xen.org/xsa/

VMWare:

http://blogs.vmware.com/security/

Others (KVM, and more):

http://seclists.org/oss-sec