Bug 2212960 (CVE-2023-6110)

Summary: CVE-2023-6110 openstack: deleting a non existing access rule deletes another existing access rule in it's scope
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ON_QA --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, dmendiza, dwilde, eglynn, jjoyce, jschluet, lhh, lsvaty, mburns, mgarciac, millevy, oblaut, pgrist, security-response-team, spower
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenStack. When a user tries to delete a non-existing access rule in it's scope, it deletes other existing access rules which are not associated with any application credentials.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2209607, 2212962, 2212963, 2212964, 2245163, 2279562    
Bug Blocks: 2209139    

Description Anten Skrabec 2023-06-06 18:08:34 UTC 
When a user tries to delete a non existing access rule under it's scope, it deletes by accident it's other existing access rule which are not associated with any application credentials, under his scope.
Comment 5 Salvatore Bonaccorso 2024-02-13 07:06:46 UTC 
(In reply to Anten Skrabec from comment #0)
> When a user tries to delete a non existing access rule under it's scope, it
> deletes by accident it's other existing access rule which are not associated
> with any application credentials, under his scope.

Is there any more information on the exact issue, is it reported/known upstream?
Comment 6 Anten Skrabec 2024-02-13 20:25:28 UTC 
@Carnil
i've added them as external references but will copy below:
https://code.engineering.redhat.com/gerrit/gitweb?p=python-openstackclient.git;a=commit;h=7a7c364bdd7b2cd2b56e73724110710a68d58abf
https://review.opendev.org/c/openstack/python-openstackclient/+/888697
Comment 7 errata-xmlrpc 2024-05-22 20:11:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 8

Via RHSA-2024:2769 https://access.redhat.com/errata/RHSA-2024:2769
Comment 8 errata-xmlrpc 2024-05-22 20:35:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2737 https://access.redhat.com/errata/RHSA-2024:2737
Comment 9 MilanaLevy 2024-07-25 12:02:01 UTC 
Not verified. 
[zuul@controller-0 ~]$ oc get pod keystone-5977bd6f7d-r7845 -o=json|grep imageID
                "imageID": "quay.io/podified-antelope-centos9/openstack-keystone@sha256:fb1616376d2e5f313cc10754513f554939bb8d5b30f36417d35cb77b8230d240",

sh-5.1$ openstack application credential list
+----------------------------------+--------------------+----------------------------------+-------------+------------+
| ID                               | Name               | Project ID                       | Description | Expires At |
+----------------------------------+--------------------+----------------------------------+-------------+------------+
| 9639486668c6489fb3d7e7cac77fc462 | scaler-upper-test  | 7e87a0999c0a4fe49e1c667902654ca4 | None        | None       |
| 78a03b758fb9455b97d616430869f948 | scaler-upper-test1 | 7e87a0999c0a4fe49e1c667902654ca4 | None        | None       |
| 464777b573f54718814e9a5d251271cf | scaler-upper-02    | 7e87a0999c0a4fe49e1c667902654ca4 | None        | None       |
| 2976e3995eef4fec878f38efd938610c | scaler-upper-03    | 7e87a0999c0a4fe49e1c667902654ca4 | None        | None       |
+----------------------------------+--------------------+----------------------------------+-------------+------------+
sh-5.1$ openstack access rule list
+----------------------------------+---------+--------+---------------+
| ID                               | Service | Method | Path          |
+----------------------------------+---------+--------+---------------+
| 0597357af1374182a571e09e1d2a63ef | compute | POST   | /v2.1/servers |
+----------------------------------+---------+--------+---------------+
sh-5.1$ openstack application credential delete 9639486668c6489fb3d7e7cac77fc462
sh-5.1$ openstack application credential delete 78a03b758fb9455b97d616430869f948
sh-5.1$ openstack application credential delete 464777b573f54718814e9a5d251271cf
sh-5.1$ openstack application credential delete 2976e3995eef4fec878f38efd938610c
sh-5.1$ openstack access rule list
+----------------------------------+---------+--------+---------------+
| ID                               | Service | Method | Path          |
+----------------------------------+---------+--------+---------------+
| 0597357af1374182a571e09e1d2a63ef | compute | POST   | /v2.1/servers |
+----------------------------------+---------+--------+---------------+
sh-5.1$ openstack access rule delete fjgjhjk
sh-5.1$ openstack access rule list