Bug 2269112 (CVE-2024-29156)

Summary: CVE-2024-29156 YAQL: OpenStack Murano Component Information Leakage
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: eglynn, jjoyce, jschluet, jslagle, lhh, lsvaty, mburns, mgarciac, pgrist, ramishra, rhos-maint, security-response-team, shrjoshi, slinaber, trathi, tvignaud
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Murano component of OpenStack. This vulnerability allows ordinary users capable of importing and deploying app packages to access sensitive information within OpenStack services. Specifically, through this exploit, unauthorized users can obtain Murano service account credentials, potentially escalating their privileges to an administrator level. Subsequently, unauthorized users can gain complete control over various resources, including user roles, hosts, and networks. The exploit allows access to the Murano service's oslo configuration storage, thereby exposing critical Murano service account credentials, and granting unauthorized users administrative privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 229116, 2269113, 2269114, 2269115, 2269116, 2269117, 2269118, 2270055, 2270056, 2270057, 2273549, 2273771, 2275836, 2275837    
Bug Blocks: 2269119    

Description Avinash Hanwate 2024-03-12 06:56:44 UTC 
The Sangfor Security Research Team has identified a critical security vulnerability in the Murano component of OpenStack. This vulnerability allows ordinary users capable of importing and deploying app packages to access sensitive information within OpenStack services. Specifically, through this exploit, unauthorised users can obtain Murano service account credentials, potentially escalating their privileges to an administrator level. Subsequently, unauthorised users can gain complete control over various resources, including user roles, hosts, and networks.

The exploit allows access to Murano service's oslo configuration storage, thereby exposing critical Murano service account credentials, granting
unauthorised users administrative privileges.
Comment 5 TEJ RATHI 2024-03-19 05:52:01 UTC 
*** Bug 2270037 has been marked as a duplicate of this bug. ***
Comment 6 TEJ RATHI 2024-03-19 05:58:11 UTC 
Lifting Embargo...

https://launchpad.net/bugs/2048114
https://opendev.org/openstack/murano/tags
https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3
https://wiki.openstack.org/wiki/OSSN/OSSN-0093
Comment 11 errata-xmlrpc 2024-04-22 01:01:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:1931 https://access.redhat.com/errata/RHSA-2024:1931
Comment 12 errata-xmlrpc 2024-04-22 01:02:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 8

Via RHSA-2024:1930 https://access.redhat.com/errata/RHSA-2024:1930
Comment 14 errata-xmlrpc 2024-06-24 01:04:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:4053 https://access.redhat.com/errata/RHSA-2024:4053