2015-09-16 08:08:10 |
Steven Hardy |
bug |
|
|
added bug |
2015-09-16 08:15:04 |
Steven Hardy |
bug |
|
|
added subscriber Jay Dobies |
2015-09-16 08:15:21 |
Steven Hardy |
bug |
|
|
added subscriber Steve Baker |
2015-09-16 11:57:50 |
Steven Hardy |
bug |
|
|
added subscriber Garth Mollett |
2015-09-16 20:32:11 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2015-09-16 20:32:59 |
Jeremy Stanley |
bug |
|
|
added subscriber Heat Core security contacts |
2015-09-16 20:33:13 |
Jeremy Stanley |
description |
in service.py validate_template, we do an env.get_class bypassing
the global_environment(), which ends up calling
template_resource.generate_class, which wrongly defaults the get_template_file
allowed schemas to "('file',)"
https://github.com/openstack/heat/blob/master/heat/engine/service.py#L958
https://github.com/openstack/heat/blob/master/heat/engine/resources/template_resource.py#L31
The net result of this is that any call to template-validate which
specifies type: foo.yaml will read that file from the filesystem of the
heat service - this actually means template-validate calls which should
fail work on typical devstack env's where the client and heat-engine are
co-located (it took me a while to work out why!!)
I've not figured out any way for this to be exploitable, but it definitely
seems wrong that we allow user-provided paths to be read like this,
and there could be some risk if folks could work out a way to make
validation blow up with a stack-trace containing any file contents. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
in service.py validate_template, we do an env.get_class bypassing
the global_environment(), which ends up calling
template_resource.generate_class, which wrongly defaults the get_template_file
allowed schemas to "('file',)"
https://github.com/openstack/heat/blob/master/heat/engine/service.py#L958
https://github.com/openstack/heat/blob/master/heat/engine/resources/template_resource.py#L31
The net result of this is that any call to template-validate which
specifies type: foo.yaml will read that file from the filesystem of the
heat service - this actually means template-validate calls which should
fail work on typical devstack env's where the client and heat-engine are
co-located (it took me a while to work out why!!)
I've not figured out any way for this to be exploitable, but it definitely
seems wrong that we allow user-provided paths to be read like this,
and there could be some risk if folks could work out a way to make
validation blow up with a stack-trace containing any file contents. |
|
2015-09-16 20:33:29 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2015-09-17 01:24:41 |
Angus Salkeld |
heat: status |
New |
Confirmed |
|
2015-09-17 01:24:47 |
Angus Salkeld |
heat: importance |
Undecided |
High |
|
2015-09-17 01:24:49 |
Angus Salkeld |
heat: assignee |
|
Angus Salkeld (asalkeld) |
|
2015-09-17 01:44:57 |
Angus Salkeld |
attachment added |
|
Restrict template file access to /etc/heat/templates/ https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4466489/+files/0001-Restrict-template-file-access-to-etc-heat-templates.patch |
|
2015-09-17 03:05:08 |
Angus Salkeld |
attachment added |
|
Restrict template file access to /etc/heat/templates/ https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4466501/+files/0001-Restrict-template-file-access-to-etc-heat-templates.patch |
|
2015-09-18 01:54:20 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Confirmed |
|
2015-09-18 01:54:32 |
Tristan Cacqueray |
ossa: importance |
Undecided |
High |
|
2015-10-05 18:26:42 |
Tristan Cacqueray |
ossa: status |
Confirmed |
In Progress |
|
2015-10-05 18:26:45 |
Tristan Cacqueray |
ossa: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
2015-10-06 12:46:16 |
Tristan Cacqueray |
summary |
template-validate may read server local files |
template-validate may read server local files (CVE-2015-5295) |
|
2015-10-06 12:46:20 |
Tristan Cacqueray |
cve linked |
|
2015-5295 |
|
2015-11-04 14:20:51 |
Steven Hardy |
bug |
|
|
added subscriber Mark Chappell |
2015-11-23 15:09:17 |
Jeremy Stanley |
ossa: importance |
High |
Critical |
|
2015-11-25 23:10:01 |
Zane Bitter |
attachment added |
|
load-files-from-correct-source.patch https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4525484/+files/load-files-from-correct-source.patch |
|
2015-12-09 22:06:24 |
Steven Hardy |
attachment added |
|
Updated patch for git am https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4532176/+files/load-files-from-correct-source-2.patch |
|
2016-01-11 23:53:00 |
Zane Bitter |
attachment added |
|
Final patch for master https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4548273/+files/bug1496277-master.patch |
|
2016-01-11 23:54:37 |
Zane Bitter |
attachment added |
|
Final patch for Liberty https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4548274/+files/bug1496277-liberty.patch |
|
2016-01-11 23:55:06 |
Zane Bitter |
attachment added |
|
Final patch for Kilo https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4548275/+files/bug1496277-kilo.patch |
|
2016-01-13 15:12:35 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Committed |
|
2016-01-13 16:08:14 |
Steven Hardy |
bug |
|
|
added subscriber Sergey Kraynev |
2016-01-14 21:42:03 |
Zane Bitter |
attachment added |
|
Juno patch https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4550122/+files/bug1496277-juno.patch |
|
2016-01-14 21:43:00 |
Zane Bitter |
attachment added |
|
Icehouse patch https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4550123/+files/bug1496277-icehouse.patch |
|
2016-01-14 21:43:31 |
Zane Bitter |
heat: assignee |
Angus Salkeld (asalkeld) |
Zane Bitter (zaneb) |
|
2016-01-19 14:59:59 |
Tristan Cacqueray |
information type |
Private Security |
Public Security |
|
2016-01-19 15:01:03 |
OpenStack Infra |
heat: status |
Confirmed |
In Progress |
|
2016-01-19 16:54:38 |
Tristan Cacqueray |
summary |
template-validate may read server local files (CVE-2015-5295) |
[OSSA 2016-003] template-validate may read server local files (CVE-2015-5295) |
|
2016-01-19 18:17:23 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
in service.py validate_template, we do an env.get_class bypassing
the global_environment(), which ends up calling
template_resource.generate_class, which wrongly defaults the get_template_file
allowed schemas to "('file',)"
https://github.com/openstack/heat/blob/master/heat/engine/service.py#L958
https://github.com/openstack/heat/blob/master/heat/engine/resources/template_resource.py#L31
The net result of this is that any call to template-validate which
specifies type: foo.yaml will read that file from the filesystem of the
heat service - this actually means template-validate calls which should
fail work on typical devstack env's where the client and heat-engine are
co-located (it took me a while to work out why!!)
I've not figured out any way for this to be exploitable, but it definitely
seems wrong that we allow user-provided paths to be read like this,
and there could be some risk if folks could work out a way to make
validation blow up with a stack-trace containing any file contents. |
in service.py validate_template, we do an env.get_class bypassing
the global_environment(), which ends up calling
template_resource.generate_class, which wrongly defaults the get_template_file
allowed schemas to "('file',)"
https://github.com/openstack/heat/blob/master/heat/engine/service.py#L958
https://github.com/openstack/heat/blob/master/heat/engine/resources/template_resource.py#L31
The net result of this is that any call to template-validate which
specifies type: foo.yaml will read that file from the filesystem of the
heat service - this actually means template-validate calls which should
fail work on typical devstack env's where the client and heat-engine are
co-located (it took me a while to work out why!!)
I've not figured out any way for this to be exploitable, but it definitely
seems wrong that we allow user-provided paths to be read like this,
and there could be some risk if folks could work out a way to make
validation blow up with a stack-trace containing any file contents. |
|
2016-01-19 20:11:07 |
OpenStack Infra |
tags |
|
in-stable-liberty |
|
2016-01-19 20:27:44 |
OpenStack Infra |
tags |
in-stable-liberty |
in-stable-kilo in-stable-liberty |
|
2016-01-19 22:01:35 |
Zane Bitter |
attachment added |
|
Icehouse patch https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4552973/+files/bug1496277-icehouse.patch |
|
2016-01-19 22:02:00 |
Zane Bitter |
attachment removed |
Icehouse patch https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4550123/+files/bug1496277-icehouse.patch |
|
|
2016-01-19 22:03:41 |
Zane Bitter |
attachment added |
|
Juno patch https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4552974/+files/bug1496277-juno.patch |
|
2016-01-19 22:03:58 |
Zane Bitter |
attachment removed |
Juno patch https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4550122/+files/bug1496277-juno.patch |
|
|
2016-01-21 10:38:29 |
OpenStack Infra |
heat: status |
In Progress |
Fix Released |
|
2016-01-21 12:37:09 |
Tristan Cacqueray |
ossa: status |
Fix Committed |
Fix Released |
|
2016-01-21 20:20:09 |
Dave Walker |
nominated for series |
|
heat/kilo |
|
2016-01-21 20:20:09 |
Dave Walker |
bug task added |
|
heat/kilo |
|
2016-01-21 20:21:26 |
Dave Walker |
heat/kilo: status |
New |
Fix Committed |
|
2016-01-21 20:21:26 |
Dave Walker |
heat/kilo: milestone |
|
2015.1.3 |
|
2016-01-21 23:15:03 |
Dave Walker |
heat/kilo: status |
Fix Committed |
Fix Released |
|
2016-02-25 16:29:41 |
Zane Bitter |
attachment added |
|
Juno patch (updated) https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4580996/+files/bug1496277-juno.patch |
|
2016-02-25 16:29:58 |
Zane Bitter |
attachment removed |
Juno patch https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4552974/+files/bug1496277-juno.patch |
|
|
2016-02-25 16:30:27 |
Zane Bitter |
attachment added |
|
Icehouse patch (updated) https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4580997/+files/bug1496277-icehouse.patch |
|
2016-02-25 16:30:47 |
Zane Bitter |
attachment removed |
Icehouse patch https://bugs.launchpad.net/heat/+bug/1496277/+attachment/4552973/+files/bug1496277-icehouse.patch |
|
|