OpenStack Shared File Systems Service (Manila)

  1. Bug #1861485
  2. Comment #23

Comment 23 for bug 1861485

Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote : Re: User knowing the id of a share network can show, delete, create share on a share network owned by different tenant

Hello,

an update: patches have been refreshed for this bug, and attached here.

I reached out to Jeremy, and he agreed to take a look at this embargo disclosure notice before I post it to <email address hidden> and <email address hidden>. Thank you! Please let me know if i can change anything. Next steps, after the draft message:

````````````````````````````````````````````````````````````````````````````````````

Subject: [pre-OSSA] Vulnerability in OpenStack Manila (CVE-2020-9543)

This is an advance warning of a vulnerability discovered in
OpenStack Manila, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.

OpenStack Manila <= 9.1.0 allows other project users to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date.

CVE: CVE-2020-9543

Proposed public disclosure date/time:
2020-03-09, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.

Original private report:
https://bugs.launchpad.net/manila/+bug/1861485
For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.

--
Goutham Pacha Ravi
Project Team Lead, OpenStack Manila

Attachments:
cve-2020-9543-master-ussuri.patch
cve-2020-9543-stable-train.patch
cve-2020-9543-stable-stein.patch
cve-2020-9543-stable-rocky.patch
cve-2020-9543-stable-queens.patch
cve-2020-9543-stable-pike.patch

````````````````````````````````````````````````````````````````````````````````````

Next Steps:

* On public disclosure (2020-03-09, 1500 UTC) - I'll switch this bug to public, and coordinate with mnaser to upload the patches to review.opendev.org.
* Tom and I will review/fast track approvals with the help of other cores
* Once patches have merged, I'll request a release from train, stein and rocky branches. (The patches for queens and pike have only been provided for courtesy - we will not perform a release on those branches).
* Simultaneously, I'll coordinate with the VMT team to publish an OSSA to <email address hidden> and <email address hidden>.