[0SSA 2014-011] RBAC policy not enforced when adding a security group rule using EC2 API (CVE-2014-0167)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Fix Released
|
High
|
Andrew Laski | ||
| Havana |
Fix Released
|
High
|
Andrew Laski | ||
| OpenStack Security Advisory |
Fix Released
|
Medium
|
Tristan Cacqueray | ||
Bug Description
It seems that when using the EC2 API, the security group implementation does not enforce RBAC policy for the add_rules, remove_rules, destroy and other functions (in compute/api.py). Only the add_to_instance and remove_
The Nova API security group implementation does enforce RBAC on these functions.
In addition, the add_to_instance and remove_from _instance functions which are wrapped in RBAC verification use the "compute:
This is the case on Grizlly and at first glance, it doesn't look like this has changed in Havana.
CVE References
| Changed in ossa: | |
| status: | New → Incomplete |
| Changed in nova: | |
| status: | New → Confirmed |
| Changed in nova: | |
| assignee: | nobody → Andrew Laski (alaski) |
| tags: | added: icehouse-rc-potential |
| Changed in ossa: | |
| status: | Confirmed → Triaged |
| summary: |
RBAC policy not enforced when adding a security group rule using EC2 API + (CVE-2014-0167) |
| Changed in ossa: | |
| status: | Triaged → In Progress |
| Changed in nova: | |
| milestone: | none → icehouse-rc2 |
| status: | Confirmed → In Progress |
| Changed in nova: | |
| importance: | Undecided → High |
| information type: | Private Security → Public Security |
| summary: |
- RBAC policy not enforced when adding a security group rule using EC2 API - (CVE-2014-0167) + [0SSA 2014-011] RBAC policy not enforced when adding a security group + rule using EC2 API (CVE-2014-0167) |
| Changed in ossa: | |
| status: | Fix Committed → Fix Released |
| Changed in nova: | |
| milestone: | icehouse-rc2 → 2014.1 |
| tags: | removed: icehouse-rc-potential |

What can I do to make this report more "complete"?
Thanks.