Validation of Timestamp/Expires for ec2 query parameters is not correct
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Sirisha Devineni | ||
oslo-incubator |
Fix Released
|
Undecided
|
Sirisha Devineni | ||
Grizzly |
Fix Released
|
Undecided
|
Sirisha Devineni |
Bug Description
It doesn't appear that the the Timestamp query parameter for ec2 requests is completely validated or used. Looking at the class "Requestify" in ../nova/
1. Only Timestamp is tested for, but Expires isn't.
2. The format of the Timestamp is not tested for.
3. The value of the Timestamp is not tested to be within some time delta.
The AWS documentation states at this link
http://
"Requests must include either Timestamp or Expires, but cannot contain both" and "The date and time at which the request is signed, in the format YYYY-MM-
The AWS documentation at this link and others
http://
states,
"Why do I get keep getting "Request has expired" errors?
To reduce the risk of replay attacks, our requests include a timestamp. This and the most important parts of the request are signed to ensure the message (including the timestamp) cannot be modified without detection.
If the difference between the timestamp in the request and the time on our servers is larger than 5 minutes, the request is too old (or too new) and an error is returned.
You need to ensure that your system clock is accurate and configured to use the correct time zone. For more information, go to NTP."
Looking at the code in Requestify and searching the rest of the code base for use of "Timestamp" I don't any places where Timestamp is used or tested. It seems like this is a potential security related issue.
Changed in nova: | |
assignee: | nobody → Andrew James (ajames) |
Changed in nova: | |
importance: | Undecided → High |
status: | New → Confirmed |
tags: | added: ec2 |
Changed in nova: | |
assignee: | Roland Hochmuth (roland-hochmuth-s) → Sirisha Devineni (sirisha-devineni) |
Changed in openstack-common: | |
status: | New → In Progress |
Changed in openstack-common: | |
assignee: | nobody → Sirisha Devineni (sirisha-devineni) |
affects: | openstack-common → oslo |
Changed in nova: | |
milestone: | none → grizzly-1 |
status: | Fix Committed → Fix Released |
Changed in oslo: | |
milestone: | none → grizzly-1 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | grizzly-1 → 2013.1 |
@Andrew, are you still working on this?