yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #83154
[Bug 1786646] Re: Domain Existence Leaking without authentication
** Changed in: keystone
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1786646
Title:
Domain Existence Leaking without authentication
Status in OpenStack Identity (keystone):
Won't Fix
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The Domain Configuration subsystem, specifically PATCH
/domains/{domain_id}/config/{group} appears to leak data before
enforcement. The method called from the routed path[0] performs a
"domain exists" check[1] before sending to the 'update_domain_config'
method [2] which is behind the @protected decorator.
This has the potential to be used to verify existence of domains by ID
without authentication. This is in-fact a data leak. However, since
domains (outside of "default" and the keystone-root domain) are uuids,
this is likely a C1 classification in the VMT Taxonomy [3] (Useful if
an attacker is guessing UUIDs). The only case where this is more
significant is that it can be used to determine if the default domain
is enabled/configured; the usefulness of such data is relatively
suspect and unlikely to be meaningful.
However, with all that said, since this is a potential security flaw,
the bug has been marked private security.
[0] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/routers.py#L55
[1] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L134
[2] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L125-L131
[3] https://security.openstack.org/vmt-process.html#incident-report-taxonomy
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1786646/+subscriptions