neutron

Possible SQL Injection vulnerability in hyperv plugin

Bug #1370292 reported by Travis McPeak
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
neutron
Invalid
Low
Unassigned

Bug Description

On this line: https://github.com/openstack/neutron/blob/master/neutron/plugins/hyperv/agent/utilsv2.py#L190 a raw SQL query is being made with the parameters 'class_name' and 'element_name'. Class name appears to be a hardcoded value in the usage that I saw, but element_name looks like it is set from "switch_port_name". If a malicious user is able to tamper with the switch port name, a SQL injection vulnerability exists.

At least this is an unsafe programming practice. A library such as sqlalchemy should be used, or at least prepared statements.

If there is no way for a user to tamper with these parameters, this can be fixed in public and treated as security hardening rather than a vulnerability.

Jeremy Stanley (fungi)
Changed in ossa:
status: New → Incomplete
Revision history for this message
Thierry Carrez (ttx) wrote :

@Alessandro: could you tell us if that actually constitutes a true vulnerability ?

Revision history for this message
Alessandro Pilotti (alexpilotti) wrote :

Hi guys,

This is WQL, not SQL. There are no security concerns for this case.

Please see comments in the following bug report:
https://bugs.launchpad.net/nova/+bug/1370295

Thanks,

Alessandro

Revision history for this message
Jeremy Stanley (fungi) wrote :

Switched the bug to public and marked the security advisory task wontfix based on the above explanation.

information type: Private Security → Public
Changed in ossa:
status: Incomplete → Won't Fix
Eugene Nikanorov (enikanorov)
Changed in neutron:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/131428

Changed in neutron:
assignee: nobody → Sergey Vilgelm (sergey.vilgelm)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Kyle Mestery (<email address hidden>) on branch: master
Review: https://review.openstack.org/131428
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Sergey Vilgelm (sergey.vilgelm)
Changed in neutron:
assignee: Sergey Vilgelm (sergey.vilgelm) → nobody
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 172 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
status: In Progress → Incomplete
Revision history for this message
Alessandro Pilotti (alexpilotti) wrote :

Not a bug as by discussion above, thanks

Changed in neutron:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.