[OSSA 2015-006] unauthorized delete from container with x-version-location (CVE-2015-1856)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Unassigned |
Bug Description
The handling of object versions wrt container ACL's has been an area of interest lately and some questionable authorization behaviors have come to light:
https:/
Unfortunately I just discovered another one that actually seems damaging. Ability to destroy data without write access.
Any authenticated used can overwrite the most recent versions of any versioned object who's name is known in a container with the X-Versions-Location metadata field set if they have listing access to the x-versions-location container - regardless of their write authorization to the container. Basically if you can list an x-versions-location container you can overwrite all the current data in the source container (if you know it's name) with old copies even if you don't have write (or read) access to the source container.
Basically we're creating a preauthorized COPY from from the x-versions-location container (assuming the user has listing access to the x-versions-location container, and an old version exists) without checking to see if authenticated user has write access to the destination.
Script to reproduce the problem is attached.
Possible patch to follow.
CVE References
Changed in swift: | |
status: | New → Confirmed |
Changed in ossa: | |
status: | New → Confirmed |
description: | updated |
Changed in ossa: | |
importance: | Undecided → Medium |
Changed in ossa: | |
status: | Confirmed → Triaged |
Changed in ossa: | |
status: | Triaged → Fix Committed |
information type: | Private Security → Public Security |
summary: |
- unauthorized delete from container with x-version-location - (CVE-2015-1856) + [OSSA 2015-006] unauthorized delete from container with x-version- + location (CVE-2015-1856) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
description: | updated |
Changed in swift: | |
milestone: | none → 2.3.0-rc1 |
status: | Fix Committed → Fix Released |
Changed in swift: | |
milestone: | 2.3.0-rc1 → 2.3.0 |
I think we can call the authorize callback for the original DELETE request before handling the version case to ensure the request is authorized to DELETE objects in the source container.
Then call the authorize callback again for the fall-through DELETE to the x-versions-location object (which may fail independently if the user doesn't have write access to the target.