1039141 – (CVE-2013-6426) CVE-2013-6426 OpenStack Heat: CFN policy rules not all enforced

Bug 1039141 (CVE-2013-6426) - CVE-2013-6426 OpenStack Heat: CFN policy rules not all enforced

Summary: CVE-2013-6426 OpenStack Heat: CFN policy rules not all enforced

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-6426
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1039147 1112425 1112428
Blocks:	1039146
TreeView+	depends on / blocked

Reported:	2013-12-06 18:50 UTC by Kurt Seifried
Modified:	2023-05-12 15:35 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-07-15 07:29:12 UTC
Embargoed:

Attachments	(Terms of Use)
cve-2013-6426-master-icehouse.patch (34.24 KB, patch) 2013-12-06 19:01 UTC, Kurt Seifried	no flags	Details \| Diff
cve-2013-6426-stable-havana.patch (33.93 KB, patch) 2013-12-06 19:01 UTC, Kurt Seifried	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:0090	0	normal	SHIPPED_LIVE	Moderate: openstack-heat security, bug fix, and enhancement update	2014-01-22 23:31:23 UTC

Description Kurt Seifried 2013-12-06 18:50:48 UTC

Jeremy Stanley of the OpenStack Project reports:

Steven Hardy from Red Hat reported a vulnerability in Heat's default
API policy enforcement. By calling the CreateStack or UpdateStack
methods, an in-instance user may be able to create or update a stack
in violation of the default policy. Only setups using Heat's
cloudformation-compatible API are affected.

Comment 2 Kurt Seifried 2013-12-06 18:58:37 UTC

Acknowledgements: 

Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Steven Hardy of Red Hat as the original reporter.

Comment 4 Kurt Seifried 2013-12-06 19:01:04 UTC

Created attachment 833715 [details]
cve-2013-6426-master-icehouse.patch

Comment 5 Kurt Seifried 2013-12-06 19:01:49 UTC

Created attachment 833717 [details]
cve-2013-6426-stable-havana.patch

Comment 6 errata-xmlrpc 2014-01-22 18:33:06 UTC

This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0090 https://rhn.redhat.com/errata/RHSA-2014-0090.html

Comment 9 Garth Mollett 2014-06-23 23:43:09 UTC

Created openstack-heat tracking bugs for this issue:

Affects: fedora-19 [bug 1112428]

Note You need to log in before you can comment on or make changes to this bug.