SSH injection threat in 3PAR driver

Bug #1212884 reported by Kurt Martin on 2013-08-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Undecided
Kurt Martin

Bug Description

One of the 3PAR driver ssh commands (setqos) is throwing the following error:

2013-08-15 14:09:06.627 ERROR cinder.volume.drivers.san.hp.hp_3par_common [req-27634a33-8779-4949-918b-1254438086bb f5b3cede3beb4daeb5e0167f3e6e2a9b 45d5721b63d541959d17ec74fb07fc0c] SSH command injection detected: ['setqos', '-io 5000 -bw 500M vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg']

Changed in cinder:
assignee: nobody → Kurt Martin (kurt-f-martin)
Changed in cinder:
status: New → Confirmed
tags: added: 3par drivers
summary: - Fix SSH injection threat in 3PAR driver
+ SSH injection threat in 3PAR driver

Fix proposed to branch: master
Review: https://review.openstack.org/42241

Changed in cinder:
status: Confirmed → In Progress
Jeremy Stanley (fungi) wrote :

Switched to security for visibility, but we can switch it back if everyone agrees this is not actually exploitable. Can someone confirm?

Changed in ossa:
status: New → Incomplete
information type: Public → Public Security
Kurt Martin (kurt-f-martin) wrote :

Hi Jeremy, Please remove the Public Security information type flag. This was just a precautionary fix that was missed in patch https://review.openstack.org/#/c/37697/ that landed just a couple of days ago. Thanks

Reviewed: https://review.openstack.org/42241
Committed: http://github.com/openstack/cinder/commit/e8acc504faccbf815b53d2c39cdc6d858ba03da3
Submitter: Jenkins
Branch: master

commit e8acc504faccbf815b53d2c39cdc6d858ba03da3
Author: Kurt Martin <email address hidden>
Date: Thu Aug 15 16:22:31 2013 -0700

    Fix SSH injection threat in 3PAR driver

    The setqos ssh command was not built up correctly when the following
    patch https://review.openstack.org/#/c/37697/ landed for cleaning up
    the SSH calls from injection attacks in the 3PAR driver.

    The command was in the following format causing the injection threat
    due to the spaces in the second item in the list:
    ['setqos', '-io 5000 -bw 500M vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg']
    When it should actually be in the following format:
    ['setqos', '-io', '5000', '-bw', '500M', 'vvset:vvs-JOHB2Oj0QJ2UaWatwbe7Bg']

    Change-Id: I69ed8dbca3af3ba56220891411b63331c1935373
    Fixes: bug 1212884

Changed in cinder:
status: In Progress → Fix Committed
Changed in cinder:
status: Fix Committed → In Progress
Thierry Carrez (ttx) wrote :

@Kurt: I think the fix is landed now, so FixCommitted sounds like the right status ?

information type: Public Security → Public
no longer affects: ossa
Changed in cinder:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-09-05
Changed in cinder:
milestone: none → havana-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in cinder:
milestone: havana-3 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers