2120660 – CVE-2022-3101 tripleo-ansible: File permissions are too liberal on a director deployment [openstack-16.2]

Bug 2120660 - CVE-2022-3101 tripleo-ansible: File permissions are too liberal on a director deployment [openstack-16.2]

Summary: CVE-2022-3101 tripleo-ansible: File permissions are too liberal on a director...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	tripleo-ansible
Sub Component:
Version:	16.2 (Train)
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	async
Target Release:	16.2 (Train on RHEL 8.4)
Assignee:	Takashi Kajinami
QA Contact:	Joe H. Rahme
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2022-3101
TreeView+	depends on / blocked

Reported:	2022-08-23 13:35 UTC by David Hill
Modified:	2022-12-23 01:28 UTC (History)
CC List:	8 users (show)
Fixed In Version:	tripleo-ansible-0.8.1-2.20220406160116.el8ost openstack-tripleo-common-11.7.1-2.20220318011206.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-10-17 10:20:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1990226	None	None	None	2022-09-22 12:37:25 UTC
OpenStack gerrit	858591	None	stable/train: MERGED	tripleo-ansible: Train-only: Reduce permission of config-download files (Idc78964f560fc7a5766cf164c65d48adcbed4532)	2022-09-28 14:07:48 UTC
OpenStack gerrit	858593	None	stable/train: MERGED	tripleo-common: Train-only: Reduce permission of config-download files (Idc78964f560fc7a5766cf164c65d48adcbed4532)	2022-09-28 14:07:54 UTC
Red Hat Issue Tracker	OSP-18328	None	None	None	2022-08-23 13:42:18 UTC
Red Hat Product Errata	RHSA-2022:6969	None	None	None	2022-10-17 10:21:22 UTC

Comment 21 David Rosenfeld 2022-10-06 17:17:47 UTC

Used RHOS-16.2-RHEL-8-20221005.n.1-ASYNC

[stack@undercloud-0 ~]$ yum list installed | grep tripleo-ansible
tripleo-ansible.noarch                        0.8.1-2.20220406160116.el8ost                @rhelosp-16.2

[stack@undercloud-0 ~]$ yum list installed | grep openstack-tripleo-common
openstack-tripleo-common.noarch               11.7.1-2.20220318011206.el8ost               @rhelosp-16.2                     
openstack-tripleo-common-containers.noarch    11.7.1-2.20220318011206.el8ost               @rhelosp-16.2 


Moving to ON_DEV. Can still recover password from /avr/lib/mistral:

[stack@undercloud-0 ~]$ grep OS_PASSWORD /var/lib/mistral/overcloud/Controller/post_upgrade_tasks.yaml
    OS_PASSWORD: 5eflajGWotKbhIPa6HiKLos7H

Comment 22 David Rosenfeld 2022-10-06 18:03:57 UTC

As a regular user /var/lib/mistral is not visible:

[stack@undercloud-0 ~]$ ls -l /var/lib/mistral
ls: cannot open directory '/var/lib/mistral': Permission denied
[stack@undercloud-0 ~]$ 
[stack@undercloud-0 ~]$ 


However, the overcloud directory still has open permission so that a regular user can still access files in overcloud directory:
[stack@undercloud-0 ~]$ sudo ls -l /var/lib/mistral
total 8
lrwxrwxrwx.  1 42430 42430   26 Oct  6 13:39 config-download-latest -> /var/lib/mistral/overcloud
drwxr-xr-x. 14 42430 42430 4096 Oct  6 14:08 overcloud
-r--r--r--.  1 42430 42430 1057 Oct  6 12:51 undercloud.conf

Comment 23 James Slagle 2022-10-06 19:30:54 UTC

The mistral_executor container does not have the updated openstack-tripleo-common from the FIV:

[stack@undercloud-0 ~]$ sudo podman exec -it mistral_executor rpm -q openstack-tripleo-common
openstack-tripleo-common-11.7.1-2.20220318011205.b5ef9a5.el8ost.noarch

Mistral is running containerized and using code from tripleo-common, so we need to patch the container in addition to the host.

Comment 24 James Slagle 2022-10-06 20:24:13 UTC

I updated the openstack-tripleo-common containers in the mistral_executor container, then restarted the container:

[stack@undercloud-0 ~]$ sudo podman exec -it mistral_executor rpm -qa | grep tripleo-common
openstack-tripleo-common-container-base-11.7.1-2.20220318011206.el8ost.noarch
openstack-tripleo-common-11.7.1-2.20220318011206.el8ost.noarch
python3-tripleo-common-11.7.1-2.20220318011206.el8ost.noarch
openstack-tripleo-common-containers-11.7.1-2.20220318011206.el8ost.noarch


Then I ran overcloud deploy with the --config-download-only arg (just to skip the stack update). Looks like it is fixed now:

[stack@undercloud-0 ~]$ grep OS_PASSWORD /var/lib/mistral/overcloud/Controller/post_upgrade_tasks.yaml
grep: /var/lib/mistral/overcloud/Controller/post_upgrade_tasks.yaml: Permission denied
[stack@undercloud-0 ~]$ sudo ls -l /var/lib/mistral
total 8
lrwxrwxrwx.  1 42430 42430   26 Oct  6 20:08 config-download-latest -> /var/lib/mistral/overcloud
drwxrwx---. 15 42430 42430 4096 Oct  6 20:12 overcloud
-r--r--r--.  1 42430 42430 1057 Oct  6 12:51 undercloud.conf

Comment 25 James Slagle 2022-10-06 20:38:40 UTC

The tripleo-ansible patch, which fixes the permissions on overcloud.json also looks fixed:

(undercloud) [stack@undercloud-0 ~]$ sudo ls -l /var/lib/mistral/overcloud/group_vars/overcloud.json
-rw-r-----. 1 42430 42430 30896 Oct  6 20:08 /var/lib/mistral/overcloud/group_vars/overcloud.json

Comment 26 Jon Schlueter 2022-10-07 00:24:09 UTC

Testing as mentioned above requires the mistral-executor container image to be patched for this fix to be effective, and able to be tested

Comment 28 David Rosenfeld 2022-10-12 18:34:38 UTC

Stopped mistral-executor, downloaded rhosp16-openstack-mistral-executor:16.2.3-10.1665156347, and started it with new image:

(undercloud) [stack@undercloud-0 ~]$ sudo podman ps -a | grep mistral-executor
41ebabbec3eb  undercloud-0.ctlplane.redhat.local:8787/rh-osbs/rhosp16-openstack-mistral-executor:16.2.3-10.1665156347      kolla_start

Reran overcloud deploy and verified password was no longer recoverable:

(undercloud) [stack@undercloud-0 ~]$ grep OS_PASSWORD /var/lib/mistral/overcloud/Controller/post_upgrade_tasks.yaml
grep: /var/lib/mistral/overcloud/Controller/post_upgrade_tasks.yaml: Permission denied

Comment 30 errata-xmlrpc 2022-10-17 10:20:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenStack Platform (tripleo-ansible) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6969

Note You need to log in before you can comment on or make changes to this bug.