SSH injection threat in 3PAR driver

Bug #1212884 reported by Kurt Martin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Undecided
Kurt Martin

Bug Description

One of the 3PAR driver ssh commands (setqos) is throwing the following error:

2013-08-15 14:09:06.627 ERROR cinder.volume.drivers.san.hp.hp_3par_common [req-27634a33-8779-4949-918b-1254438086bb f5b3cede3beb4daeb5e0167f3e6e2a9b 45d5721b63d541959d17ec74fb07fc0c] SSH command injection detected: ['setqos', '-io 5000 -bw 500M vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg']

Tags: 3par drivers
Changed in cinder:
assignee: nobody → Kurt Martin (kurt-f-martin)
Changed in cinder:
status: New → Confirmed
tags: added: 3par drivers
summary: - Fix SSH injection threat in 3PAR driver
+ SSH injection threat in 3PAR driver
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/42241

Changed in cinder:
status: Confirmed → In Progress
Revision history for this message
Jeremy Stanley (fungi) wrote :

Switched to security for visibility, but we can switch it back if everyone agrees this is not actually exploitable. Can someone confirm?

Changed in ossa:
status: New → Incomplete
information type: Public → Public Security
Revision history for this message
Kurt Martin (kurt-f-martin) wrote :

Hi Jeremy, Please remove the Public Security information type flag. This was just a precautionary fix that was missed in patch https://review.openstack.org/#/c/37697/ that landed just a couple of days ago. Thanks

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/42241
Committed: http://github.com/openstack/cinder/commit/e8acc504faccbf815b53d2c39cdc6d858ba03da3
Submitter: Jenkins
Branch: master

commit e8acc504faccbf815b53d2c39cdc6d858ba03da3
Author: Kurt Martin <email address hidden>
Date: Thu Aug 15 16:22:31 2013 -0700

    Fix SSH injection threat in 3PAR driver

    The setqos ssh command was not built up correctly when the following
    patch https://review.openstack.org/#/c/37697/ landed for cleaning up
    the SSH calls from injection attacks in the 3PAR driver.

    The command was in the following format causing the injection threat
    due to the spaces in the second item in the list:
    ['setqos', '-io 5000 -bw 500M vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg']
    When it should actually be in the following format:
    ['setqos', '-io', '5000', '-bw', '500M', 'vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg']

    Change-Id: I69ed8dbca3af3ba56220891411b63331c1935373
    Fixes: bug 1212884

Changed in cinder:
status: In Progress → Fix Committed
Changed in cinder:
status: Fix Committed → In Progress
Revision history for this message
Thierry Carrez (ttx) wrote :

@Kurt: I think the fix is landed now, so FixCommitted sounds like the right status ?

information type: Public Security → Public
no longer affects: ossa
Changed in cinder:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in cinder:
milestone: none → havana-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in cinder:
milestone: havana-3 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.