Bug 2125404 (CVE-2022-3100)

Summary: CVE-2022-3100 openstack-barbican: access policy bypass via query string injection
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alee, eglynn, hrybacki, jjoyce, lhh, mburns, mgarciac, security-response-team, spower
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-barbican-12.0.1-0.20220614210405 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-28 22:28:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2122347, 2125406, 2125407, 2126199, 2131829    
Bug Blocks: 2123858    

Description Anten Skrabec 2022-09-08 21:16:35 UTC 
Barbican is including the contents of the request query string in the target data that is used by oslo.policy to enforce policy.

Since oslo.policy uses this data to do string interpolation into the policy rules before enforcing the policy, it gives a malicious user the opportunity to craft query strings to manipulate the policy in arbitrary ways.

For example, a malicious user with a Keystone account is able to decrypt any secret as long as they know the secret's ID by using a specifically crafted query string:

    GET /v1/secrets/{secret-id}/payload?target.secret.read=read

Using this query string, the malicious user is able to fool Barbican into thinking that the user is in the ACL for the secret, which allows for secret decryption.  Since the query string is applied to the target data after the data is fetched from the database, the user-provided query string overrides any values stored in the DB.  In this case, overriding "target.secret.read" to "read", which should only be set when a user is added to the ACL.
Comment 12 errata-xmlrpc 2022-09-29 12:38:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2
  Red Hat OpenStack Platform 17.0
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS
  Red Hat OpenStack Platform 13.0 - ELS

Via RHSA-2022:6750 https://access.redhat.com/errata/RHSA-2022:6750
Comment 13 Anten Skrabec 2022-10-03 20:23:50 UTC 
Created openstack-barbican tracking bugs for this issue:

Affects: openstack-rdo [bug 2131829]
Comment 14 Product Security DevOps Team 2022-11-28 22:28:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3100