[OSSA 2013-035] Heat ReST API doesn't respect tenant scoping (CVE-2013-6428)

So the simplest possible fix is to remove the line which overwrites the context tenant_id:

https://github.com/openstack/heat/blob/master/heat/api/openstack/v1/util.py#L29

This just means the tenant_id in the path is ignored, and User1 always gets the same data regardless of the tenant specified in the path (solving the immediate problem)

However we should probably consider a more robust fix, where we deny any request where the tenant_id specified in the path doesn't match the tenant_id in the context, either directly in the API, or via a policy rule (I'm working on making the ReST API policy.json aware atm).

Sounds like this issue needs a CVE, can anyone from the OpenStack VMT confirm? Thanks.

Steven: Does this affect Havana as well?

Kurt: Probably, but we usually don't file a formal CVE request until we bring the PTL up to speed on the issue and get a confirmation of impact.

Jeremy: Yes, this affects Havana - it actually looks like the bug has existed since we first implemented the ReST API, so Grizzly, Havana and master are all affected.

Thanks. Since Heat was first officially included in the OpenStack Havana release we'll just say "all supported versions" in the OSSA and include patches for stable/havana and master, but feel free to make a stable/grizzly backport if you want.

This is an initial draft patch for discussion, still needs some test fixups to test_api_openstack_v1.py.

Looking at the tests explains why this issue slipped through - the tests assume the engine will reject the response due to invalid tenant, but we've erased the real tenant associated with the request by overwriting the context, so this can never be true.

This simple patch just raises HTTPForbidden if the context and path tenant_ids don't match, which is probably the easiest (to backport) solution. Then for master, we can move to potentially a more flexible policy based solution for Icehouse.

At the time this was written we were passing a username and password to the engine and checking credentials there; we had to add in the tenant from the URL because we didn't necessarily receive it in the request. Now that the only checking is done by the API middleware, this is obviously a horrible, horrible bug :(

The patch looks perfect for backporting; probably in the future we should refactor to do this check earlier and get rid of the tenant_local nonsense altogether.

+2

@Zane: Thanks for the feedback - yeah +1 on removing tenant_local after we have the backports done - I'm thinking we can probably kill it during the move to policy based enforcement (have a new policy_enforce decorator), but that looks probably too messy to backport due to dependence on other recently merged changes.

New patch coming soon with fixed-up tests.

Proposed patches for Master, Havana and Grizzly, with tests reworked

Retargeting to i-2 for now so that i-1 can be branched

> Retargeting to i-2 for now so that i-1 can be branched

I find it extremely unfortunate and depressing that our srt process is so slow that we have to release a milestone build without this critical fix - how can this not be a release blocker? :(

I did specifically point this bug out to Thierry. Now that milestone-proposed is branched I assume we can put this back on icehouse-1, and block release on it.

SteveBaker: our process unfortunately calls for early disclosure to a number of stakeholders (like distros) so this can't hit a public repo until that embargo period is over (which takes at least 4 days). So this will be post-i1. No big deal anyway, since i1 is just a tag marking the end of a icehouse development period... what would be nice would be to get it in havana 2013.2.1 though (next week).

Proposed impact description...
-----

Title: Heat ReST API doesn't respect tenant scoping
Reporter: Steven Hardy (Red Hat)
Products: Heat
Affects: All supported releases

Description:
Steven Hardy from Red Hat reported a vulnerability in the Heat REST API. By changing the request path, an authenticated client may override their tenant scope resulting in privilege escalation. Only setups exposing the Heat orchestration REST interface are affected.

+1

Mmm... s/REST/ReST/ throughout the description section I guess, to match the title.

Scheduled advisory publication date is Wednesday, December 11, 2013 at 1500UTC (so as to fall before the 2013.2.1 point release). Patches will be pushed to review.openstack.org for last-minute approval shortly prior to that time.

Fix proposed to branch: master
Review: https://review.openstack.org/61455

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/61456

Reviewed: https://review.openstack.org/61455
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=759ee38c53a5e469b8333856e60a0827175457e7
Submitter: Jenkins
Branch: master

commit 759ee38c53a5e469b8333856e60a0827175457e7
Author: Steven Hardy <email address hidden>
Date: Mon Dec 2 23:59:19 2013 +0000

    Deny API requests where context doesn't match path

    We shouldn't overwrite the context tenant_id (which comes from the
    scope of the auth_token) with that from the path, instead raise a
    HTTPForbidden exception if the path-provided tenant_id doesn't match
    the context.

    Change-Id: Ib6fb9881103312f7492081a20178f12309f35d81
    Closes-Bug: #1256983

Reviewed: https://review.openstack.org/61456
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=22f4fdafc0ac5cf86bd3b87faace5175fb8dc2c2
Submitter: Jenkins
Branch: stable/havana

commit 22f4fdafc0ac5cf86bd3b87faace5175fb8dc2c2
Author: Steven Hardy <email address hidden>
Date: Mon Dec 2 23:59:19 2013 +0000

    Deny API requests where context doesn't match path

    We shouldn't overwrite the context tenant_id (which comes from the
    scope of the auth_token) with that from the path, instead raise a
    HTTPForbidden exception if the path-provided tenant_id doesn't match
    the context.

    Change-Id: Ib6fb9881103312f7492081a20178f12309f35d81
    Closes-Bug: #1256983