[OSSA 2016-003] template-validate may read server local files (CVE-2015-5295)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
Zane Bitter | ||
Kilo |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
Critical
|
Tristan Cacqueray |
Bug Description
in service.py validate_template, we do an env.get_class bypassing
the global_
template_
allowed schemas to "('file',)"
https:/
https:/
The net result of this is that any call to template-validate which
specifies type: foo.yaml will read that file from the filesystem of the
heat service - this actually means template-validate calls which should
fail work on typical devstack env's where the client and heat-engine are
co-located (it took me a while to work out why!!)
I've not figured out any way for this to be exploitable, but it definitely
seems wrong that we allow user-provided paths to be read like this,
and there could be some risk if folks could work out a way to make
validation blow up with a stack-trace containing any file contents.
CVE References
Changed in heat: | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Angus Salkeld (asalkeld) |
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → High |
summary: |
- template-validate may read server local files + template-validate may read server local files (CVE-2015-5295) |
Changed in ossa: | |
importance: | High → Critical |
information type: | Private Security → Public Security |
summary: |
- template-validate may read server local files (CVE-2015-5295) + [OSSA 2016-003] template-validate may read server local files + (CVE-2015-5295) |
description: | updated |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Note I raised this private security initially so we can discuss how this should be handled - AFAICT there's no way for this to be actively exploited, but the sort of risk I'm worried about is e.g if someone tried to pass a path to a hiera yaml file on the heat server box, where the hieradata could contain sensitive information. I don't think there's any way for validation to fail such as to expose that data, but it'd be good to get some more eyes on the code to prove that is the case (if so this can probably be public security IMO).