yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1357379] Re: [OSSA 2014-031] policy admin_only rules not enforced when changing value to default (CVE-2014-6414)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Fri, 03 Oct 2014 06:53:33 -0000
Reply-to: Bug 1357379 <1357379@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1357379

Title:
  [OSSA 2014-031] policy admin_only rules not enforced when changing
  value to default (CVE-2014-6414)

Status in OpenStack Neutron (virtual network service):
  Fix Released
Status in neutron havana series:
  Invalid
Status in neutron icehouse series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  If a non-admin user tries to update an attribute, which should be
  updated only by admin, from a non-default value to default,  the
  update is successfully performed and PolicyNotAuthorized exception is
  not raised.

  The reason is that when a rule to match for a given action is built
  there is a verification that each attribute in a body of the resource
  is present and has a non-default value. Thus, if we try to change some
  attribute's value to default, it is not considered to be explicitly
  set and a corresponding rule is not enforced.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1357379/+subscriptions

References

[Bug 1357379] [NEW] policy adnmin_only rules not enforced when changing value to default
From: Elena Ezhova, 2014-08-15