Bug 772202 - (CVE-2012-0030) CVE-2012-0030 openstack-nova: Tenant bypass by authenticated users using OpenStack API
CVE-2012-0030 openstack-nova: Tenant bypass by authenticated users using Open...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120111,repo...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-06 07:33 EST by Pádraig Brady
Modified: 2016-01-04 09:41 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-09 20:58:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
proposed upstream patch to fix the flaw (1.73 KB, patch)
2012-01-06 13:43 EST, Vincent Danen
no flags Details | Diff
proposed upstream patch that also fixes the unit tests (88.12 KB, patch)
2012-01-06 13:44 EST, Vincent Danen
no flags Details | Diff
backported patch from upstream against 2011.3 (2.02 KB, patch)
2012-01-06 13:46 EST, Vincent Danen
no flags Details | Diff
preliminary backported patch from upstream against 2011.3 for unit test fixes (64.80 KB, patch)
2012-01-06 13:47 EST, Vincent Danen
no flags Details | Diff
diablo-cve-2012-0030.patch (73.10 KB, patch)
2012-01-09 19:37 EST, Mark McLoughlin
no flags Details | Diff

  None (edit)
Description Pádraig Brady 2012-01-06 07:33:27 EST
Nachi Ueno (NTT PF lab), Rohit Karajgi (Vertex) and Venkatesan Ravikumar
(HP) discovered a vulnerability in Nova API nodes handling of incoming
requests. An authenticated user may craft malicious commands to affect
resources on tenants he is not a member of, potentially leading to
incorrect billing, quota escaping or compromise of computing resources
created by a third-party. Only setups allowing the OpenStack API are
affected.

We expect to have patch for our Diablo version released in F16 and EPEL,
early next week.

A CVE number is pending.

Proposed public disclosure date/time:
Wednesday, January 11, 2012, 1500UTC
Comment 1 Vincent Danen 2012-01-06 13:43:27 EST
Created attachment 551231 [details]
proposed upstream patch to fix the flaw

This is the minimal patch that corrects the flaw, but breaks the unit tests.
Comment 2 Vincent Danen 2012-01-06 13:44:03 EST
Created attachment 551232 [details]
proposed upstream patch that also fixes the unit tests
Comment 3 Vincent Danen 2012-01-06 13:46:46 EST
Created attachment 551233 [details]
backported patch from upstream against 2011.3

This is a backported patch provided by Jamie Strandboge, again with unit test breakage.
Comment 4 Vincent Danen 2012-01-06 13:47:29 EST
Created attachment 551235 [details]
preliminary backported patch from upstream against 2011.3 for unit test fixes
Comment 5 Mark McLoughlin 2012-01-06 13:56:00 EST
As the upstream stable branch maintainer, I'll be backporting the full fix and applying it to the stable branch at disclosure time. I'll make that patch available in advance
Comment 7 Vincent Danen 2012-01-06 14:03:44 EST
Mark, that sounds great.  So Fedora will just rebase to the latest upstream stable version on disclosure?
Comment 8 Mark McLoughlin 2012-01-06 14:59:57 EST
(In reply to comment #7)
> Mark, that sounds great.  So Fedora will just rebase to the latest upstream
> stable version on disclosure?

Yeah, the latest package release is actually based on the latest revision of the stable branch. So, we'll just be pulling in a single new patch.
Comment 9 Mark McLoughlin 2012-01-09 19:37:08 EST
Created attachment 551729 [details]
diablo-cve-2012-0030.patch

Here's a version of the patch which applies against our F-16 tree. This is what will be pushed to the upstream stable/diablo branch
Comment 10 Pádraig Brady 2012-01-10 04:49:56 EST
Thanks Mark.
I'll apply that tomorrow at 15:00UTC.
I also have other unrelated tweaks that need to go in the update.
Comment 11 Vincent Danen 2012-01-11 22:46:24 EST
This is now public:

https://github.com/openstack/nova/commit/c9c09bd60e7a0e0258d218a31d7878755bea1395
Comment 12 Vincent Danen 2012-01-11 22:47:39 EST
openstack-nova-2011.3-19.el6 has been submitted as an update for EPEL6.

http://koji.fedoraproject.org/koji/buildinfo?buildID=282783

openstack-nova-2011.3-19.fc16 has been submitted as an update for Fedora 16:

http://koji.fedoraproject.org/koji/buildinfo?buildID=282782

Note You need to log in before you can comment on or make changes to this bug.