[OSSA 2013-034] Heat CFN policy rules not all enforced (CVE-2013-6426)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
Unassigned | ||
Grizzly |
Fix Released
|
High
|
Steven Hardy | ||
Havana |
Fix Released
|
High
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Jeremy Stanley |
Bug Description
I've discovered a problem with the way the Heat cloudformation-
We provide a default policy which looks like:
"deny_
"cloudforma
"cloudforma
"cloudforma
"cloudforma
"cloudforma
"cloudforma
"cloudforma
"cloudforma
"cloudforma
"cloudforma
"cloudforma
"cloudforma
The intention is that in-instance users are denied access to all API actions except DescribeStackRe
The bug I've discovered means that the CreateStack and UpdateStack actions are not correctly enforcing the policy, so in theory the in-instance users might be able to create or update a stack, which they should not be allowed to do.
This affects templates using the following resources:
AWS::IAM::User, which is used when using AWS::IAM::AccessKey
AWS::CloudForma
OS::Heat:
AWS::AutoScalin
I have a patch with a fix and associated tests demonstrating the issue.
Note that we currently don't have any policy enforcement on the native ReST API, which I'm also looking at fixing, but this seems particularly worrisome because we aren't enforcing the policy we advertise, whereas we don't provide any rules related to the native API yet (and in instance agents don't yet expect to connect to it) so hopefully it's clear that functionality is not yet implemented.
CVE References
Changed in ossa: | |
assignee: | nobody → Jeremy Stanley (fungi) |
Changed in heat: | |
milestone: | icehouse-2 → icehouse-1 |
summary: |
- CFN policy rules not all enforced + Heat CFN policy rules not all enforced |
summary: |
- Heat CFN policy rules not all enforced + Heat CFN policy rules not all enforced (CVE-2013-6426) |
Changed in ossa: | |
status: | Triaged → In Progress |
Changed in ossa: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
Changed in heat: | |
assignee: | Jeremy Stanley (fungi) → nobody |
summary: |
- Heat CFN policy rules not all enforced (CVE-2013-6426) + [OSSA 2013-034] Heat CFN policy rules not all enforced (CVE-2013-6426) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
milestone: | icehouse-2 → 2014.1 |
Does this affect Havana as well? If so we'll want a stable/havana bugtask and backport of the patch.