Bug 908581 (CVE-2013-0266) - CVE-2013-0266 OpenStack packstack: puppetlabs-cinder / manifests / base.pp weak file permissions
Summary: CVE-2013-0266 OpenStack packstack: puppetlabs-cinder / manifests / base.pp we...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-0266
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Embargoed908582 Embargoed908587
Blocks: Embargoed908588
TreeView+ depends on / blocked
 
Reported: 2013-02-07 04:37 UTC by Kurt Seifried
Modified: 2023-05-12 20:30 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-10 18:52:03 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0595 0 normal SHIPPED_LIVE Moderate: openstack-packstack security and bug fix update 2013-03-06 02:00:00 UTC

Description Kurt Seifried 2013-02-07 04:37:30 UTC 
Derek Higgins (derekh) reports:

puppetlabs-cinder / manifests / base.pp as used in OpenStack packstack uses
unsafe file permissions (mode 0644) for various config files (cinder.conf and
api-paste.ini) which can result in authorization credentials being exposed to 
local attackers.

External references:
https://github.com/puppetlabs/puppetlabs-cinder/blob/master/manifests/base.pp#L31
mode    => '0644',
Comment 3 Kurt Seifried 2013-02-08 05:48:51 UTC 
Fix for this issue:

https://github.com/puppetlabs/puppetlabs-cinder/commit/7da792fbd40c0e6eae1ee093aa00e0b177bd2ebc
Comment 4 Derek Higgins 2013-02-08 13:20:15 UTC 
This covers cinder.conf but I think api-paste.ini should also be included. It contains the cinder auth credentials for keystone.
Comment 5 Murray McAllister 2013-02-24 21:49:35 UTC 
Acknowledgements:

This issue was discovered by Derek Higgins of the Red Hat OpenStack team.
Comment 6 errata-xmlrpc 2013-03-05 21:03:31 UTC 
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0595 https://rhn.redhat.com/errata/RHSA-2013-0595.html
Note You need to log in before you can comment on or make changes to this bug.