Cinder

Able to show volumes associated with different project

Bug #1356368 reported by git-harry
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Critical
git-harry
Cinder 2014.2 "juno"
Icehouse
Fix Released
Critical
Jay Bryant
Cinder 2014.1.3
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

https://github.com/openstack/cinder/commit/0505bb268942534ad5d6ecd5e34a4d9b0e7f5c04 appears to have introduced a bug making it possible to show the details of a volume under another project_id.

$ . ~/devstack/openrc demo demo
$ cinder list
+--------------------------------------+-----------+-------+------+-------------+----------+-------------+
| ID | Status | Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+-------+------+-------------+----------+-------------+
| c99fe35a-47ef-448a-af31-edf7d04cd44a | available | demo1 | 1 | lvmdriver-1 | false | |
+--------------------------------------+-----------+-------+------+-------------+----------+-------------+
$ cinder list --all-tenants 1
+--------------------------------------+----------------------------------+-----------+-------+------+-------------+----------+-------------+
| ID | Tenant ID | Status | Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+----------------------------------+-----------+-------+------+-------------+----------+-------------+
| c99fe35a-47ef-448a-af31-edf7d04cd44a | 807f2a0ef357420e9a70ac1a5fef7a4c | available | demo1 | 1 | lvmdriver-1 | false | |
+--------------------------------------+----------------------------------+-----------+-------+------+-------------+----------+-------------+
$ cinder show ad3194a3-8304-4d17-8f66-f1a1a261d339
+------------------------------+--------------------------------------+
| Property | Value |
+------------------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| created_at | 2014-08-12T11:06:33.000000 |
| description | None |
| encrypted | False |
| id | ad3194a3-8304-4d17-8f66-f1a1a261d339 |
| metadata | {} |
| name | admin1 |
| os-vol-tenant-attr:tenant_id | e66effcd5db642dfabceabc76ea78196 |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | available |
| user_id | 7e540d1944a74bd4a90aa9a8b15d09b0 |
| volume_type | lvmdriver-1 |
+------------------------------+--------------------------------------+

Revision history for this message
git-harry (git-harry) wrote :

https://review.openstack.org/113886

Changed in cinder:
assignee: nobody → git-harry (git-harry)
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Thanks for the report, I've set the OSSA task to incomplete, pending additional details from @cinder-coresec.
Though this require knowledge of UUID and may not represent a vulnerability as-is.

Also, now that a review have been submitted we may mark this report Public security.

Changed in ossa:
status: New → Incomplete
Revision history for this message
Thierry Carrez (ttx) wrote :

This looks like a regression in development release. As long as it's fixed in Juno final release, we should not issue an advisory about it.

Changed in ossa:
status: Incomplete → Won't Fix
Changed in cinder:
milestone: none → juno-3
importance: Undecided → Critical
Revision history for this message
Thierry Carrez (ttx) wrote :

Hrm, that was backported to icehouse

Changed in ossa:
status: Won't Fix → Incomplete
information type: Private Security → Public Security
Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

BTW the stable/icehouse patch was backported against the stable maint rules (one core pushed the patch without waiting for approval from another core). Just sayin'.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/113886
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=5868e8f285d23b56ca6123dab760342c57bf8c80
Submitter: Jenkins
Branch: master

commit 5868e8f285d23b56ca6123dab760342c57bf8c80
Author: git-harry <email address hidden>
Date: Wed Aug 13 14:22:49 2014 +0100

    Prevent tenant viewing volumes owed by another

    Bug introduced by 0505bb268942534ad5d6ecd5e34a4d9b0e7f5c04 allows any
    tenant to get the details of a volume belonging to any other tenant
    if the UUID is known.

    This commit allows only the tenant or an admin to get a volume.

    Change-Id: I0268d374f7529d89068dcbf3c1cb9ab3d60d4115
    Closes-Bug: #1356368

Changed in cinder:
status: New → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to cinder (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/115304

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to cinder (master)

Reviewed: https://review.openstack.org/115304
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=d6d75f868d5da77c2c8e20d0562555a14a6f91ec
Submitter: Jenkins
Branch: master

commit d6d75f868d5da77c2c8e20d0562555a14a6f91ec
Author: Zhiteng Huang <email address hidden>
Date: Tue Aug 19 22:27:26 2014 +0800

    Honor volume:get policy

    The fix for bug 1356368 hard-coded a policy check (same as
    rule:admin_or_owner) for volume:get. While in most cases this is
    what people want, it'd be good we honor policy setting.

    Note that before commit 0505bb268942534ad5d6ecd5e34a4d9b0e7f5c04,
    DB query volume_get() actually acted as the policy checker for
    volume:get, and it raised VolumeNotFound if context.project_id didn't
    match volume['project_id']. The check_policy() in volume:get didn't
    get a chance to raise PolicyNotAuthorized exception. So in this
    change we keep the same behavor.

    Change-Id: If43cec5cce977b9220296709b4e243b35b06ecd5
    Related-bug: #1356368

Revision history for this message
Thierry Carrez (ttx) wrote :

Since this requires guessing the UUID, it's not really a practical attack, and the info leaked in the unlikely case you guess the UUID is not exactly critical. I think we need to fix the regression, but can pass on a security advisory here. Thoughts ?

Revision history for this message
Thierry Carrez (ttx) wrote :

Unless someone complains before Monday, I propose we don't publish an advisory here (not an exploitable vulnerability).
This still needs to be backported to icehouse though.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/117546

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to cinder (stable/icehouse)

Related fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/117550

Thierry Carrez (ttx)
Changed in cinder:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in ossa:
status: Incomplete → Won't Fix
information type: Public Security → Public
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/icehouse)

Reviewed: https://review.openstack.org/117546
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=da65d08f20021ac60a8c6fc2b5577b60911aeb79
Submitter: Jenkins
Branch: stable/icehouse

commit da65d08f20021ac60a8c6fc2b5577b60911aeb79
Author: git-harry <email address hidden>
Date: Wed Aug 13 14:22:49 2014 +0100

    Prevent tenant viewing volumes owned by another

    Bug introduced by 0505bb268942534ad5d6ecd5e34a4d9b0e7f5c04 allows any
    tenant to get the details of a volume belonging to any other tenant
    if the UUID is known.

    This commit allows only the tenant or an admin to get a volume.

    Change-Id: I0268d374f7529d89068dcbf3c1cb9ab3d60d4115
    Closes-Bug: #1356368
    (cherry picked from commit 5868e8f285d23b56ca6123dab760342c57bf8c80)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to cinder (stable/icehouse)

Reviewed: https://review.openstack.org/117550
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=c2826368c2992668a25e026bdc57f0a2ed6f1773
Submitter: Jenkins
Branch: stable/icehouse

commit c2826368c2992668a25e026bdc57f0a2ed6f1773
Author: Zhiteng Huang <email address hidden>
Date: Tue Aug 19 22:27:26 2014 +0800

    Honor volume:get policy

    The fix for bug 1356368 hard-coded a policy check (same as
    rule:admin_or_owner) for volume:get. While in most cases this is
    what people want, it'd be good we honor policy setting.

    Note that before commit 0505bb268942534ad5d6ecd5e34a4d9b0e7f5c04,
    DB query volume_get() actually acted as the policy checker for
    volume:get, and it raised VolumeNotFound if context.project_id didn't
    match volume['project_id']. The check_policy() in volume:get didn't
    get a chance to raise PolicyNotAuthorized exception. So in this
    change we keep the same behavor.

    Change-Id: If43cec5cce977b9220296709b4e243b35b06ecd5
    Related-bug: #1356368
    (cherry picked from commit d6d75f868d5da77c2c8e20d0562555a14a6f91ec)

tags: added: in-stable-icehouse
Thierry Carrez (ttx)
Changed in cinder:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.