yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1915308] Re: security group table doesn't observe Neutron policy settings

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1915308@xxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Feb 2021 17:26:24 -0000
Reply-to: Bug 1915308 <1915308@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Thanks, I've switched this to a normal public bug and set our security
advisory task to Won't Fix indicating there shouldn't be any advisory
publication required. The OpenStack VMT is treating this as a class E
report (neither a vulnerability nor hardening opportunity) per our
taxonomy: https://security.openstack.org/vmt-process.html#incident-
report-taxonomy

** Description changed:

- This issue is being treated as a potential security risk under
- embargo. Please do not make any public mention of embargoed
- (private) security vulnerabilities before their coordinated
- publication by the OpenStack Vulnerability Management Team in the
- form of an official OpenStack Security Advisory. This includes
- discussion of the bug or associated fixes in public forums such as
- mailing lists, code review systems and bug trackers. Please also
- avoid private disclosure to other individuals not already approved
- for access to this information, and provide this same reminder to
- those who are made aware of the issue prior to publication. All
- discussion should remain confined to this private bug report, and
- any proposed fixes should be added to the bug as attachments. This
- embargo shall not extend past 2021-05-11 and will be made
- public by or on that date even if no fix is identified.
- 
  The security group panel enables all actions (create/edit/delete/manage
  rules/etc.) regardless of the network policy.yaml settings or user
  account.
  
  In the code there's this telling readme:
  
  # TODO(amotoki): [drop-nova-network] Add neutron policy support
  
  In my deployment this is a bit alarming -- users who are intended to be
  read-only are nonetheless invited to delete things.  Of course the
  Neutron backend /does/ observe the policy so this is ugly but not
  usually an actual security risk unless people have different back-end
  and front-end policy files.
  
  I'm flagging as security-related nonetheless for the odd edge case where
  it poses a risk.

** Information type changed from Private Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1915308

Title:
  security group table doesn't observe Neutron policy settings

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The security group panel enables all actions
  (create/edit/delete/manage rules/etc.) regardless of the network
  policy.yaml settings or user account.

  In the code there's this telling readme:

  # TODO(amotoki): [drop-nova-network] Add neutron policy support

  In my deployment this is a bit alarming -- users who are intended to
  be read-only are nonetheless invited to delete things.  Of course the
  Neutron backend /does/ observe the policy so this is ugly but not
  usually an actual security risk unless people have different back-end
  and front-end policy files.

  I'm flagging as security-related nonetheless for the odd edge case
  where it poses a risk.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1915308/+subscriptions