[OSSA 2014-031] policy admin_only rules not enforced when changing value to default (CVE-2014-6414)
Bug #1357379 reported by
Elena Ezhova
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Fix Released
|
Medium
|
Grant Murphy | ||
neutron |
Fix Released
|
High
|
Elena Ezhova | ||
Havana |
Invalid
|
Undecided
|
Elena Ezhova | ||
Icehouse |
Fix Released
|
High
|
Ihar Hrachyshka |
Bug Description
If a non-admin user tries to update an attribute, which should be updated only by admin, from a non-default value to default, the update is successfully performed and PolicyNotAuthorized exception is not raised.
The reason is that when a rule to match for a given action is built there is a verification that each attribute in a body of the resource is present and has a non-default value. Thus, if we try to change some attribute's value to default, it is not considered to be explicitly set and a corresponding rule is not enforced.
CVE References
Changed in neutron: | |
assignee: | nobody → Elena Ezhova (eezhova) |
Changed in neutron: | |
importance: | Undecided → Medium |
summary: |
- policy adnmin_only rules not enforced when changing value to default + policy admin_only rules not enforced when changing value to default |
Changed in neutron: | |
status: | New → In Progress |
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → Medium |
Changed in neutron: | |
milestone: | juno-3 → juno-rc1 |
Changed in ossa: | |
assignee: | nobody → Grant Murphy (gmurphy) |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
- policy admin_only rules not enforced when changing value to default - (CVE-2014-6414) + [OSSA 2014-031] policy admin_only rules not enforced when changing value + to default (CVE-2014-6414) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | juno-rc1 → 2014.2 |
To post a comment you must log in.
Setting as private security as soon as Eugene made me aware of the bug.
This might allow users to reset arbitrary attributes to default values - which could be a security threat.