Bug 1099748 (CVE-2014-3801)

Summary: CVE-2014-3801 openstack-heat: authenticated information leak in Heat
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, apevec, ayoung, chazlett, chrisw, gkotton, gmollett, itamar, jpeeler, jrusnack, lhh, markmc, rbryant, rhos-maint, sbaker, sclewis, sdake, shardy, yeylon, zbitter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that a user could temporarily be able to see the URL of a provider template used in another tenant. If the template itself could be accessed, then additional information could be leaked that would otherwise not be visible.
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-22 20:08:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1099749, 1099750, 1149065    
Bug Blocks: 1101805    
Attachments:
Description Flags
havana patch none

Description Vincent Danen 2014-05-21 06:39:43 UTC
Title: Heat template URL information leakage
Reporter: Jason Dunsmore (Rackspace)
Products: Heat
Versions: 2013.2 to 2013.2.3, and 2014.1

Description:
Jason Dunsmore from Rackspace reported a vulnerability in Heat. An
authenticated user may temporarily see the URL of a provider template
used in another tenant by listing heat resources types. This may result
in disclosure of additional information if the template itself can be
accessed. The URL disappears from the listing after a certain point in
the stack creation. All Heat setups are affected.

https://launchpad.net/bugs/1311223
http://seclists.org/oss-sec/2014/q2/338

Comment 2 Vincent Danen 2014-05-21 06:42:11 UTC
Created openstack-heat tracking bugs for this issue:

Affects: fedora-all [bug 1099749]

Comment 6 Zane Bitter 2014-08-27 22:06:04 UTC
This was fixed upstream in 2014.1.1. Can we close it now?

Comment 9 Garth Mollett 2014-09-15 23:53:00 UTC
Created attachment 937761 [details]
havana patch

Comment 11 Martin Prpič 2014-10-20 12:02:29 UTC
IssueDescription:

It was discovered that a user could temporarily be able to see the URL of a provider template used in another tenant. If the template itself could be accessed, then additional information could be leaked that would otherwise not be visible.

Comment 12 errata-xmlrpc 2014-10-22 17:52:50 UTC
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:1687 https://rhn.redhat.com/errata/RHSA-2014-1687.html