Unauthorized delete of versioned Swift object
Bug #1442041 reported by
Vitaly Sedelnik
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mirantis OpenStack |
Fix Released
|
Critical
|
Alexey Khivin | ||
| 5.1.x |
Fix Released
|
Critical
|
Alexey Khivin | ||
| 6.0.x |
Fix Released
|
Critical
|
Alexey Khivin | ||
| 6.1.x |
Fix Released
|
Critical
|
Alexey Khivin | ||
Bug Description
Clay Gerrard from SwiftStack reported a vulnerability in Swift object
versioning. An authenticated user can delete the most recent version of
any versioned object who's name is known if the user have listing access
to the x-versions-location container. Only Swift setups with
allow_version setting are affected.
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/icehouse, stable/juno and master on the public
disclosure date.
CVE: CVE-2015-1856
Proposed public disclosure date/time:
2015-04-14, 1500UTC
CVE References
Revision history for this message
| Vitaly Sedelnik (vsedelnik) wrote | #2 |
Revision history for this message
| Vitaly Sedelnik (vsedelnik) wrote | #3 |
Revision history for this message
| Alexey Khivin (akhivin) wrote | #5 |
Revision history for this message
| Alexey Khivin (akhivin) wrote | #6 |
| information type: | Private Security → Public Security |
Revision history for this message
| Timur Nurlygayanov (tnurlygayanov) wrote | #7 |
| Changed in mos: | |
| status: | Fix Committed → Fix Released |
Revision history for this message
| Adam Heczko (aheczko-mirantis) wrote | #8 |
Revision history for this message
| Vitaly Sedelnik (vsedelnik) wrote | #9 |
| tags: | added: feature-security |
To post a comment you must log in.
"Only Swift setups with allow_version setting are affected."
By default Fuel sets allow_version to false.
So, this vulnerability does not affect MOS deployments older then version 6.1
see
https:/