Bug 973514 - PST Audit: OpenStack Swift / Nova: Potential SQL injection
PST Audit: OpenStack Swift / Nova: Potential SQL injection
Status: CLOSED UPSTREAM
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130613,repor...
: Security
Depends On:
Blocks: 973515
  Show dependency treegraph
 
Reported: 2013-06-12 02:05 EDT by Kurt Seifried
Modified: 2016-04-26 14:07 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-18 01:46:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-06-12 02:05:09 EDT
Grant Murphy (gmurphy@redhat.com) conducted an audit of OpenStack and reports the following potential SQL injection vulnerabilities:

[gm@localhost openstack]$ for q in SELECT WHERE INSERT UPDATE DELETE; do ack $q  | grep '%'; done | grep -v test
swift/swift/common/db.py:379:                SELECT ROWID FROM %s ORDER BY ROWID DESC LIMIT 1
swift/swift/common/db.py:424:                SELECT * FROM %s WHERE ROWID > ? ORDER BY ROWID ASC LIMIT ?
swift/swift/common/db.py:440:                "SELECT sync_point FROM %s_sync WHERE remote_id=?"
swift/swift/common/db.py:456:                SELECT remote_id, sync_point FROM %s_sync
swift/swift/common/db.py:561:                metadata = conn.execute('SELECT metadata FROM %s_stat' %
swift/swift/common/db.py:592:                md = conn.execute('SELECT metadata FROM %s_stat' %
swift/swift/common/db.py:633:            md = conn.execute('SELECT metadata FROM %s_stat' %
nova/nova/virt/hyperv/volumeutils.py:78:                                        "WHERE TargetName='%s'" % target_iqn)
nova/nova/virt/hyperv/hostutils.py:66:                                              "WHERE DeviceID='%s'"
nova/nova/virt/hyperv/basevolumeutils.py:123:                                                  "Class WHERE TargetName='%s'"
swift/swift/common/db.py:424:                SELECT * FROM %s WHERE ROWID > ? ORDER BY ROWID ASC LIMIT ?
swift/swift/common/db.py:440:                "SELECT sync_point FROM %s_sync WHERE remote_id=?"
nova/nova/db/sqlalchemy/migrate_repo/versions/152_change_type_of_deleted_column.py:40:    return "INSERT INTO %s %s" % (
nova/nova/db/sqlalchemy/utils.py:64:    return "INSERT INTO %s %s" % (
swift/swift/common/db.py:512:                        INSERT INTO %s_sync (sync_point, remote_id)
swift/swift/common/db.py:376:                UPDATE %s_stat SET id=?
swift/swift/common/db.py:403:                UPDATE %s_stat SET created_at=MIN(?, created_at),
swift/swift/common/db.py:518:                        UPDATE %s_sync SET sync_point=max(?, sync_point)
swift/swift/common/db.py:607:            conn.execute('UPDATE %s_stat SET metadata = ?' % self.db_type,
swift/swift/common/db.py:644:                    conn.execute('UPDATE %s_stat SET metadata = ?' %

Upstream has been notified and investigation of these issues will be needed.

These may not be exploitable so no CVE for now.
Comment 1 Kurt Seifried 2013-06-18 01:44:52 EDT
https://bugs.launchpad.net/nova/+bug/1190226

These have been classed as security hardening and not as a security vulnerability due to lack of exploitability.

Note You need to log in before you can comment on or make changes to this bug.