Bug 1809855 (CVE-2020-9543)

Summary: CVE-2020-9543 openstack-manila: User with share-network UUID is able to show, create and delete shares
Product: [Other] Security Response Reporter: Joshua Padman <jpadman>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ccopello, dbecker, gouthamr, jjoyce, jschluet, kbasil, lhh, lpeer, mburns, sclewis, security-response-team, slinaber, slong, tbarron
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: manila 7.4.1, manila 8.1.1, manila 9.1.1 Doc Type: If docs needed, set a value
Doc Text:
An access flaw was found in openstack-manila, where the API did not validate the user/project on commands. A malicious user having the UUID of a share-network could view, update, delete, or share resources that did not belong to them. Attackers could also create resources on shared networks (for example, shared file systems or groups of shares).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-06 10:32:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1810367, 1810368, 1810369, 1812356, 1814000    
Bug Blocks: 1809857    
Attachments:
Description Flags
Pike patch
none
Queens patch
none
Ussuri patch none

Description Joshua Padman 2020-03-04 03:03:05 UTC 
A user that has the UUID of a share-network can show information, create shares or delete the share-network. The API does not validate the user/project on commands. The UUIDs are not intended to be secret, however, there are currently no protections to enable this safely.
Comment 1 Summer Long 2020-03-05 05:17:19 UTC 
Acknowledgments:

Name: the OpenStack Manila project
Comment 2 Summer Long 2020-03-05 05:17:21 UTC 
Mitigation:

There is no known mitigation for this issue, the flaw can only be resolved by applying updates.
Comment 3 Summer Long 2020-03-05 05:20:11 UTC 
Created attachment 1667633 [details]
Pike patch
Comment 4 Summer Long 2020-03-05 05:20:57 UTC 
Created attachment 1667634 [details]
Queens patch
Comment 5 Summer Long 2020-03-05 05:21:32 UTC 
Created attachment 1667635 [details]
Ussuri patch
Comment 7 Summer Long 2020-03-11 05:43:36 UTC 
Upstream bug: https://bugs.launchpad.net/manila/+bug/1861485
Comment 8 Summer Long 2020-03-11 05:45:36 UTC 
Upstream fixes:
train: https://review.opendev.org/712163
stein: https://review.opendev.org/712164
rocky: https://review.opendev.org/712165
queens: https://review.opendev.org/712166
Comment 9 Summer Long 2020-03-11 06:13:30 UTC 
Created openstack-manila tracking bugs for this issue:

Affects: openstack-rdo [bug 1812356]
Comment 10 msiddiqu 2020-03-11 14:13:47 UTC 
References: 

https://bugs.launchpad.net/manila/+bug/1861485
Comment 11 msiddiqu 2020-03-11 14:13:55 UTC 
External References:

https://security.openstack.org/ossa/OSSA-2020-002.html
Comment 12 errata-xmlrpc 2020-04-06 09:01:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 15.0 (Stein)

Via RHSA-2020:1326 https://access.redhat.com/errata/RHSA-2020:1326
Comment 13 Product Security DevOps Team 2020-04-06 10:32:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9543
Comment 14 errata-xmlrpc 2020-05-14 12:07:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.0 (Train)

Via RHSA-2020:2165 https://access.redhat.com/errata/RHSA-2020:2165
Comment 15 errata-xmlrpc 2020-06-24 12:15:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:2729 https://access.redhat.com/errata/RHSA-2020:2729