Insecure signing_dir configuration in barbican-api-paste.ini
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Barbican |
Fix Released
|
Critical
|
Charles Neill | ||
Kilo |
Fix Released
|
Critical
|
Douglas Mendizábal |
Bug Description
It appears that Barbican sets signing_dir to "/tmp/barbican/
A Nova bug from 2013 (https:/
"This means that if an attacker populated the /tmp/keystone-
with the appropriate files for signautre verification they could potentially
issue forged tokens which would be validated by the middleware. As:
- The directory location deterministic. (default for glance, nova)
- *If the directory already exists it is reused*"
This Nova bug was issued CVE-2013-2030: http://
This was originally reported to Barbican devs by the user "zigo" in the #openstack-barbican channel on Freenode:
2015-03-23 16:59:15 zigo_ I just saw in barbican-
2015-03-23 16:59:28 zigo_ The signing_dir directive should never be set to /tmp like this.
2015-03-23 16:59:33 zigo_ Best is to simply remove the directive.
2015-03-23 16:59:57 zigo_ I can find the announce for the nova security patch that happened a few years ago if you don't just trust my words… :)
zigo's suggested fix was to remove the directive. It appears Cinder has taken this approach for their project (https:/
information type: | Private Security → Public |
Changed in barbican: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
assignee: | nobody → Charles Neill (charles-neill) |
milestone: | none → liberty-1 |
Changed in barbican: | |
status: | Confirmed → In Progress |
Changed in barbican: | |
status: | Fix Committed → Fix Released |
Changed in barbican: | |
milestone: | liberty-1 → 1.0.0 |
Related fix proposed to branch: master /review. openstack. org/176071
Review: https:/