Bug 1039141 (CVE-2013-6426)

Summary: CVE-2013-6426 OpenStack Heat: CFN policy rules not all enforced
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, ayoung, chrisw, gkotton, gmollett, iheim, jpeeler, lhh, markmc, rbryant, sbaker, sclewis, sdake, security-response-team, shardy, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-15 07:29:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1039147, 1112425, 1112428    
Bug Blocks: 1039146    
Attachments:
Description Flags
cve-2013-6426-master-icehouse.patch
none
cve-2013-6426-stable-havana.patch none

Description Kurt Seifried 2013-12-06 18:50:48 UTC 
Jeremy Stanley of the OpenStack Project reports:

Steven Hardy from Red Hat reported a vulnerability in Heat's default
API policy enforcement. By calling the CreateStack or UpdateStack
methods, an in-instance user may be able to create or update a stack
in violation of the default policy. Only setups using Heat's
cloudformation-compatible API are affected.
Comment 2 Kurt Seifried 2013-12-06 18:58:37 UTC 
Acknowledgements: 

Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Steven Hardy of Red Hat as the original reporter.
Comment 4 Kurt Seifried 2013-12-06 19:01:04 UTC 
Created attachment 833715 [details]
cve-2013-6426-master-icehouse.patch
Comment 5 Kurt Seifried 2013-12-06 19:01:49 UTC 
Created attachment 833717 [details]
cve-2013-6426-stable-havana.patch
Comment 6 errata-xmlrpc 2014-01-22 18:33:06 UTC 
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0090 https://rhn.redhat.com/errata/RHSA-2014-0090.html
Comment 9 Garth Mollett 2014-06-23 23:43:09 UTC 
Created openstack-heat tracking bugs for this issue:

Affects: fedora-19 [bug 1112428]