Bug 1809855 (CVE-2020-9543) - CVE-2020-9543 openstack-manila: User with share-network UUID is able to show, create and delete shares
Summary: CVE-2020-9543 openstack-manila: User with share-network UUID is able to show...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-9543
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1812356 1810367 1810368 1810369 1814000
Blocks: 1809857
TreeView+ depends on / blocked
 
Reported: 2020-03-04 03:03 UTC by Joshua Padman
Modified: 2020-07-20 06:54 UTC (History)
14 users (show)

Fixed In Version: manila 7.4.1, manila 8.1.1, manila 9.1.1
Doc Type: If docs needed, set a value
Doc Text:
An access flaw was found in openstack-manila, where the API did not validate the user/project on commands. A malicious user having the UUID of a share-network could view, update, delete, or share resources that did not belong to them. Attackers could also create resources on shared networks (for example, shared file systems or groups of shares).
Clone Of:
Environment:
Last Closed: 2020-04-06 10:32:15 UTC


Attachments (Terms of Use)
Pike patch (6.51 KB, application/mbox)
2020-03-05 05:20 UTC, Summer Long
no flags Details
Queens patch (6.44 KB, application/mbox)
2020-03-05 05:20 UTC, Summer Long
no flags Details
Ussuri patch (7.03 KB, application/mbox)
2020-03-05 05:21 UTC, Summer Long
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1326 None None None 2020-04-06 09:02:01 UTC
Red Hat Product Errata RHSA-2020:2165 None None None 2020-05-14 12:07:12 UTC
Red Hat Product Errata RHSA-2020:2729 None None None 2020-06-24 12:16:00 UTC

Description Joshua Padman 2020-03-04 03:03:05 UTC
A user that has the UUID of a share-network can show information, create shares or delete the share-network. The API does not validate the user/project on commands. The UUIDs are not intended to be secret, however, there are currently no protections to enable this safely.

Comment 1 Summer Long 2020-03-05 05:17:19 UTC
Acknowledgments:

Name: the OpenStack Manila project

Comment 2 Summer Long 2020-03-05 05:17:21 UTC
Mitigation:

There is no known mitigation for this issue, the flaw can only be resolved by applying updates.

Comment 3 Summer Long 2020-03-05 05:20:11 UTC
Created attachment 1667633 [details]
Pike patch

Comment 4 Summer Long 2020-03-05 05:20:57 UTC
Created attachment 1667634 [details]
Queens patch

Comment 5 Summer Long 2020-03-05 05:21:32 UTC
Created attachment 1667635 [details]
Ussuri patch

Comment 7 Summer Long 2020-03-11 05:43:36 UTC
Upstream bug: https://bugs.launchpad.net/manila/+bug/1861485

Comment 9 Summer Long 2020-03-11 06:13:30 UTC
Created openstack-manila tracking bugs for this issue:

Affects: openstack-rdo [bug 1812356]

Comment 10 msiddiqu 2020-03-11 14:13:47 UTC
References: 

https://bugs.launchpad.net/manila/+bug/1861485

Comment 11 msiddiqu 2020-03-11 14:13:55 UTC
External References:

https://security.openstack.org/ossa/OSSA-2020-002.html

Comment 12 errata-xmlrpc 2020-04-06 09:01:59 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 15.0 (Stein)

Via RHSA-2020:1326 https://access.redhat.com/errata/RHSA-2020:1326

Comment 13 Product Security DevOps Team 2020-04-06 10:32:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9543

Comment 14 errata-xmlrpc 2020-05-14 12:07:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.0 (Train)

Via RHSA-2020:2165 https://access.redhat.com/errata/RHSA-2020:2165

Comment 15 errata-xmlrpc 2020-06-24 12:15:55 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:2729 https://access.redhat.com/errata/RHSA-2020:2729


Note You need to log in before you can comment on or make changes to this bug.