Bug 2120660

Summary: CVE-2022-3101 tripleo-ansible: File permissions are too liberal on a director deployment [openstack-16.2]
Product: Red Hat OpenStack Reporter: David Hill <dhill>
Component: tripleo-ansibleAssignee: Takashi Kajinami <tkajinam>
Status: CLOSED ERRATA QA Contact: Joe H. Rahme <jhakimra>
Severity: high Docs Contact:
Priority: high    
Version: 16.2 (Train)CC: astupnik, drosenfe, jjoyce, jschluet, jslagle, mburns, ntait, tkajinam
Target Milestone: asyncKeywords: Security, SecurityTracking, Triaged
Target Release: 16.2 (Train on RHEL 8.4)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: tripleo-ansible-0.8.1-2.20220406160116.el8ost openstack-tripleo-common-11.7.1-2.20220318011206.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-17 10:20:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2123870    

Comment 21 David Rosenfeld 2022-10-06 17:17:47 UTC 
Used RHOS-16.2-RHEL-8-20221005.n.1-ASYNC

[stack@undercloud-0 ~]$ yum list installed | grep tripleo-ansible
tripleo-ansible.noarch                        0.8.1-2.20220406160116.el8ost                @rhelosp-16.2

[stack@undercloud-0 ~]$ yum list installed | grep openstack-tripleo-common
openstack-tripleo-common.noarch               11.7.1-2.20220318011206.el8ost               @rhelosp-16.2                     
openstack-tripleo-common-containers.noarch    11.7.1-2.20220318011206.el8ost               @rhelosp-16.2 


Moving to ON_DEV. Can still recover password from /avr/lib/mistral:

[stack@undercloud-0 ~]$ grep OS_PASSWORD /var/lib/mistral/overcloud/Controller/post_upgrade_tasks.yaml
    OS_PASSWORD: 5eflajGWotKbhIPa6HiKLos7H
Comment 22 David Rosenfeld 2022-10-06 18:03:57 UTC 
As a regular user /var/lib/mistral is not visible:

[stack@undercloud-0 ~]$ ls -l /var/lib/mistral
ls: cannot open directory '/var/lib/mistral': Permission denied
[stack@undercloud-0 ~]$ 
[stack@undercloud-0 ~]$ 


However, the overcloud directory still has open permission so that a regular user can still access files in overcloud directory:
[stack@undercloud-0 ~]$ sudo ls -l /var/lib/mistral
total 8
lrwxrwxrwx.  1 42430 42430   26 Oct  6 13:39 config-download-latest -> /var/lib/mistral/overcloud
drwxr-xr-x. 14 42430 42430 4096 Oct  6 14:08 overcloud
-r--r--r--.  1 42430 42430 1057 Oct  6 12:51 undercloud.conf
Comment 23 James Slagle 2022-10-06 19:30:54 UTC 
The mistral_executor container does not have the updated openstack-tripleo-common from the FIV:

[stack@undercloud-0 ~]$ sudo podman exec -it mistral_executor rpm -q openstack-tripleo-common
openstack-tripleo-common-11.7.1-2.20220318011205.b5ef9a5.el8ost.noarch

Mistral is running containerized and using code from tripleo-common, so we need to patch the container in addition to the host.
Comment 24 James Slagle 2022-10-06 20:24:13 UTC 
I updated the openstack-tripleo-common containers in the mistral_executor container, then restarted the container:

[stack@undercloud-0 ~]$ sudo podman exec -it mistral_executor rpm -qa | grep tripleo-common
openstack-tripleo-common-container-base-11.7.1-2.20220318011206.el8ost.noarch
openstack-tripleo-common-11.7.1-2.20220318011206.el8ost.noarch
python3-tripleo-common-11.7.1-2.20220318011206.el8ost.noarch
openstack-tripleo-common-containers-11.7.1-2.20220318011206.el8ost.noarch


Then I ran overcloud deploy with the --config-download-only arg (just to skip the stack update). Looks like it is fixed now:

[stack@undercloud-0 ~]$ grep OS_PASSWORD /var/lib/mistral/overcloud/Controller/post_upgrade_tasks.yaml
grep: /var/lib/mistral/overcloud/Controller/post_upgrade_tasks.yaml: Permission denied
[stack@undercloud-0 ~]$ sudo ls -l /var/lib/mistral
total 8
lrwxrwxrwx.  1 42430 42430   26 Oct  6 20:08 config-download-latest -> /var/lib/mistral/overcloud
drwxrwx---. 15 42430 42430 4096 Oct  6 20:12 overcloud
-r--r--r--.  1 42430 42430 1057 Oct  6 12:51 undercloud.conf
Comment 25 James Slagle 2022-10-06 20:38:40 UTC 
The tripleo-ansible patch, which fixes the permissions on overcloud.json also looks fixed:

(undercloud) [stack@undercloud-0 ~]$ sudo ls -l /var/lib/mistral/overcloud/group_vars/overcloud.json
-rw-r-----. 1 42430 42430 30896 Oct  6 20:08 /var/lib/mistral/overcloud/group_vars/overcloud.json
Comment 26 Jon Schlueter 2022-10-07 00:24:09 UTC 
Testing as mentioned above requires the mistral-executor container image to be patched for this fix to be effective, and able to be tested
Comment 28 David Rosenfeld 2022-10-12 18:34:38 UTC 
Stopped mistral-executor, downloaded rhosp16-openstack-mistral-executor:16.2.3-10.1665156347, and started it with new image:

(undercloud) [stack@undercloud-0 ~]$ sudo podman ps -a | grep mistral-executor
41ebabbec3eb  undercloud-0.ctlplane.redhat.local:8787/rh-osbs/rhosp16-openstack-mistral-executor:16.2.3-10.1665156347      kolla_start

Reran overcloud deploy and verified password was no longer recoverable:

(undercloud) [stack@undercloud-0 ~]$ grep OS_PASSWORD /var/lib/mistral/overcloud/Controller/post_upgrade_tasks.yaml
grep: /var/lib/mistral/overcloud/Controller/post_upgrade_tasks.yaml: Permission denied
Comment 30 errata-xmlrpc 2022-10-17 10:20:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenStack Platform (tripleo-ansible) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6969