Cinder

SSH injection threat in 3PAR driver

Bug #1212884 reported by Kurt Martin on 2013-08-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	Undecided	Kurt Martin	Cinder 2013.2 "havana"

Bug Description

One of the 3PAR driver ssh commands (setqos) is throwing the following error:

2013-08-15 14:09:06.627 ERROR cinder.volume.drivers.san.hp.hp_3par_common [req-27634a33-8779-4949-918b-1254438086bb f5b3cede3beb4daeb5e0167f3e6e2a9b 45d5721b63d541959d17ec74fb07fc0c] SSH command injection detected: ['setqos', '-io 5000 -bw 500M vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg']

Tags:

Kurt Martin (kurt-f-martin) on 2013-08-15

Changed in cinder:
assignee:	nobody → Kurt Martin (kurt-f-martin)

Michael Denny (michael-denny) on 2013-08-15

Changed in cinder:
status:	New → Confirmed

Kurt Martin (kurt-f-martin) on 2013-08-15

tags:

added: 3par drivers

Kurt Martin (kurt-f-martin) on 2013-08-15

summary:

- Fix SSH injection threat in 3PAR driver
+ SSH injection threat in 3PAR driver

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-08-15: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/42241

Changed in cinder:
status:	Confirmed → In Progress

Revision history for this message

Jeremy Stanley (fungi) wrote on 2013-08-16:

Switched to security for visibility, but we can switch it back if everyone agrees this is not actually exploitable. Can someone confirm?

Changed in ossa:
status:	New → Incomplete
information type:	Public → Public Security

Revision history for this message

Kurt Martin (kurt-f-martin) wrote on 2013-08-16:

Hi Jeremy, Please remove the Public Security information type flag. This was just a precautionary fix that was missed in patch https://review.openstack.org/#/c/37697/ that landed just a couple of days ago. Thanks

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-08-16: Fix merged to cinder (master)

Reviewed: https://review.openstack.org/42241
Committed: http://github.com/openstack/cinder/commit/e8acc504faccbf815b53d2c39cdc6d858ba03da3
Submitter: Jenkins
Branch: master

commit e8acc504faccbf815b53d2c39cdc6d858ba03da3
Author: Kurt Martin <email address hidden>
Date: Thu Aug 15 16:22:31 2013 -0700

Fix SSH injection threat in 3PAR driver

    The setqos ssh command was not built up correctly when the following
    patch https://review.openstack.org/#/c/37697/ landed for cleaning up
    the SSH calls from injection attacks in the 3PAR driver.

    The command was in the following format causing the injection threat
    due to the spaces in the second item in the list:
    ['setqos', '-io 5000 -bw 500M vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg']
    When it should actually be in the following format:
    ['setqos', '-io', '5000', '-bw', '500M', 'vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg']

Change-Id: I69ed8dbca3af3ba56220891411b63331c1935373
Fixes: bug 1212884

Changed in cinder:
status:	In Progress → Fix Committed

Kurt Martin (kurt-f-martin) on 2013-08-16

Changed in cinder:
status:	Fix Committed → In Progress

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-08-16:

@Kurt: I think the fix is landed now, so FixCommitted sounds like the right status ?

information type:	Public Security → Public
no longer affects:	ossa
Changed in cinder:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-09-05

Changed in cinder:
milestone:	none → havana-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in cinder:
milestone:	havana-3 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.