← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1786646] Re: Domain Existence Leaking without authentication

 

** Changed in: keystone
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1786646

Title:
  Domain Existence Leaking without authentication

Status in OpenStack Identity (keystone):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The Domain Configuration subsystem, specifically PATCH
  /domains/{domain_id}/config/{group} appears to leak data before
  enforcement. The method called from the routed path[0] performs a
  "domain exists" check[1] before sending to the 'update_domain_config'
  method [2] which is behind the @protected decorator.

  This has the potential to be used to verify existence of domains by ID
  without authentication. This is in-fact a data leak. However, since
  domains (outside of "default" and the keystone-root domain) are uuids,
  this is likely a C1 classification in the VMT Taxonomy [3] (Useful if
  an attacker is guessing UUIDs). The only case where this is more
  significant is that it can be used to determine if the default domain
  is enabled/configured; the usefulness of such data is relatively
  suspect and unlikely to be meaningful.

  However, with all that said, since this is a potential security flaw,
  the bug has been marked private security.

  [0] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/routers.py#L55
  [1] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L134
  [2] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L125-L131
  [3] https://security.openstack.org/vmt-process.html#incident-report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1786646/+subscriptions