Bug 1255622 - (CVE-2015-5223) CVE-2015-5223 openstack-swift: Information leak via Swift tempurls
CVE-2015-5223 openstack-swift: Information leak via Swift tempurls
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150826,repor...
: Reopened, Security
Depends On: 1263018 1264282 1264283 1264284 1264285 1264286
Blocks: 1255631
  Show dependency treegraph
 
Reported: 2015-08-21 04:16 EDT by Adam Mariš
Modified: 2017-03-23 02:31 EDT (History)
29 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the OpenStack Object Storage service (swift) TempURLs. An attacker in possession of a TempURL key with PUT permissions could gain read access to other objects in the same project (tenant).
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-03-23 02:31:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-08-21 04:16:52 EDT
Openstack upstream reported that a vulnerabilty in Swift tempurls was discovered.
When in possession of a tempurl key authorized for PUT, a malicious actor may retrieve
other objects in the same Swift account (tenant). All Swift setups are affected.

Vulnerability affects versions through 2.3.0.
Comment 5 Adam Mariš 2015-08-21 04:46:00 EDT
Acknowledgements:

Red Hat would like to thank the Openstack project for reporting this issue. Upstream acknowledges Richard Hawkins of Rackspace and the Swift core reviewers as the original reporters of this issue.
Comment 6 Adam Mariš 2015-08-28 05:17:52 EDT
Public via:

http://seclists.org/oss-sec/2015/q3/442
Comment 10 Garth Mollett 2015-09-18 02:06:10 EDT
Created openstack-swift tracking bugs for this issue:

Affects: fedora-all [bug 1264282]
Affects: openstack-rdo [bug 1264286]
Comment 12 errata-xmlrpc 2015-10-15 08:34:10 EDT
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7
  OpenStack 7 For RHEL 7
  OpenStack 5 for RHEL 6
  OpenStack 5 for RHEL 7

Via RHSA-2015:1895 https://rhn.redhat.com/errata/RHSA-2015-1895.html
Comment 14 Siddharth Sharma 2017-03-23 02:30:43 EDT
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.1 for RHEL 6

Via RHSA-2016:0329 https://rhn.redhat.com/errata/RHSA-2016-0329.html
Comment 15 Siddharth Sharma 2017-03-23 02:31:32 EDT
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.1 for RHEL 7

Via RHSA-2016:0328 https://rhn.redhat.com/errata/RHSA-2016-0328.html

Note You need to log in before you can comment on or make changes to this bug.