[OSSA 2014-031] policy admin_only rules not enforced when changing value to default (CVE-2014-6414)
Bug #1357379 reported by
Elena Ezhova
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Security Advisory |
Fix Released
|
Medium
|
Grant Murphy | ||
| neutron |
Fix Released
|
High
|
Elena Ezhova | ||
| Havana |
Invalid
|
Undecided
|
Elena Ezhova | ||
| Icehouse |
Fix Released
|
High
|
Ihar Hrachyshka | ||
Bug Description
If a non-admin user tries to update an attribute, which should be updated only by admin, from a non-default value to default, the update is successfully performed and PolicyNotAuthorized exception is not raised.
The reason is that when a rule to match for a given action is built there is a verification that each attribute in a body of the resource is present and has a non-default value. Thus, if we try to change some attribute's value to default, it is not considered to be explicitly set and a corresponding rule is not enforced.
CVE References
| Changed in neutron: | |
| assignee: | nobody → Elena Ezhova (eezhova) |
| Changed in neutron: | |
| importance: | Undecided → Medium |
| summary: |
- policy adnmin_only rules not enforced when changing value to default + policy admin_only rules not enforced when changing value to default |
| Changed in neutron: | |
| status: | New → In Progress |
| Changed in ossa: | |
| status: | Incomplete → Confirmed |
| importance: | Undecided → Medium |
| Changed in neutron: | |
| milestone: | juno-3 → juno-rc1 |
| Changed in ossa: | |
| assignee: | nobody → Grant Murphy (gmurphy) |
| Changed in ossa: | |
| status: | Triaged → In Progress |
| summary: |
- policy admin_only rules not enforced when changing value to default - (CVE-2014-6414) + [OSSA 2014-031] policy admin_only rules not enforced when changing value + to default (CVE-2014-6414) |
| Changed in ossa: | |
| status: | Fix Committed → Fix Released |
| Changed in neutron: | |
| status: | Fix Committed → Fix Released |
| Changed in neutron: | |
| milestone: | juno-rc1 → 2014.2 |
To post a comment you must log in.

Setting as private security as soon as Eugene made me aware of the bug.
This might allow users to reset arbitrary attributes to default values - which could be a security threat.