Bug 1809855 (CVE-2020-9543) - CVE-2020-9543 openstack-manila: User with share-network UUID is able to show, create and delete shares
Summary: CVE-2020-9543 openstack-manila: User with share-network UUID is able to show...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-9543
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1810367 1810368 1810369 1812356 1814000
Blocks: 1809857
TreeView+ depends on / blocked
 
Reported: 2020-03-04 03:03 UTC by Joshua Padman
Modified: 2021-02-16 20:30 UTC (History)
14 users (show)

Fixed In Version: manila 7.4.1, manila 8.1.1, manila 9.1.1
Clone Of:
Environment:
Last Closed: 2020-04-06 10:32:15 UTC
Embargoed:

Attachments (Terms of Use)
Pike patch (6.51 KB, application/mbox)
2020-03-05 05:20 UTC, Summer Long 		no flags Details
Queens patch (6.44 KB, application/mbox)
2020-03-05 05:20 UTC, Summer Long 		no flags Details
Ussuri patch (7.03 KB, application/mbox)
2020-03-05 05:21 UTC, Summer Long 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1326 0 None None None 2020-04-06 09:02:01 UTC
Red Hat Product Errata RHSA-2020:2165 0 None None None 2020-05-14 12:07:12 UTC
Red Hat Product Errata RHSA-2020:2729 0 None None None 2020-06-24 12:16:00 UTC

Description Joshua Padman 2020-03-04 03:03:05 UTC 
A user that has the UUID of a share-network can show information, create shares or delete the share-network. The API does not validate the user/project on commands. The UUIDs are not intended to be secret, however, there are currently no protections to enable this safely.
Comment 1 Summer Long 2020-03-05 05:17:19 UTC 
Acknowledgments:

Name: the OpenStack Manila project
Comment 2 Summer Long 2020-03-05 05:17:21 UTC 
Mitigation:

There is no known mitigation for this issue, the flaw can only be resolved by applying updates.
Comment 3 Summer Long 2020-03-05 05:20:11 UTC 
Created attachment 1667633 [details]
Pike patch
Comment 4 Summer Long 2020-03-05 05:20:57 UTC 
Created attachment 1667634 [details]
Queens patch
Comment 5 Summer Long 2020-03-05 05:21:32 UTC 
Created attachment 1667635 [details]
Ussuri patch
Comment 7 Summer Long 2020-03-11 05:43:36 UTC 
Upstream bug: https://bugs.launchpad.net/manila/+bug/1861485
Comment 8 Summer Long 2020-03-11 05:45:36 UTC 
Upstream fixes:
train: https://review.opendev.org/712163
stein: https://review.opendev.org/712164
rocky: https://review.opendev.org/712165
queens: https://review.opendev.org/712166
Comment 9 Summer Long 2020-03-11 06:13:30 UTC 
Created openstack-manila tracking bugs for this issue:

Affects: openstack-rdo [bug 1812356]
Comment 10 msiddiqu 2020-03-11 14:13:47 UTC 
References: 

https://bugs.launchpad.net/manila/+bug/1861485
Comment 11 msiddiqu 2020-03-11 14:13:55 UTC 
External References:

https://security.openstack.org/ossa/OSSA-2020-002.html
Comment 12 errata-xmlrpc 2020-04-06 09:01:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 15.0 (Stein)

Via RHSA-2020:1326 https://access.redhat.com/errata/RHSA-2020:1326
Comment 13 Product Security DevOps Team 2020-04-06 10:32:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9543
Comment 14 errata-xmlrpc 2020-05-14 12:07:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.0 (Train)

Via RHSA-2020:2165 https://access.redhat.com/errata/RHSA-2020:2165
Comment 15 errata-xmlrpc 2020-06-24 12:15:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:2729 https://access.redhat.com/errata/RHSA-2020:2729
Note You need to log in before you can comment on or make changes to this bug.