OpenStack Security Advisory

Bug #1784259
Activity log

Activity log for bug #1784259

Date	Who	What changed	Old value	New value	Message
2018-07-30 01:13:39	Felipe Monteiro	bug			added bug
2018-07-30 01:14:28	Felipe Monteiro	description	* Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the plugins like the "enforce_policy": True key/value pair in the extension code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project admin test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/	* Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project admin test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/
2018-07-30 01:21:10	Felipe Monteiro	description	* Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project admin test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/	* Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" 3) * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project admin test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/
2018-07-30 01:22:13	Felipe Monteiro	description	* Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" 3) * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project admin test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/	* Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone. 3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin using the "!" rule. * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project demo test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/
2018-07-30 01:22:46	Felipe Monteiro	description	* Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone. 3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin using the "!" rule. * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project demo test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/	* Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone. 3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin after setting "create_trunk" with the "!" rule. * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project demo test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/
2018-07-30 14:02:34	Jeremy Stanley	bug task added		ossa
2018-07-30 14:03:23	Jeremy Stanley	ossa: status	New	Incomplete
2018-07-30 14:03:44	Jeremy Stanley	description	* Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone. 3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin after setting "create_trunk" with the "!" rule. * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project demo test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/	This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. * Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone. 3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin after setting "create_trunk" with the "!" rule. * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project demo test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/
2018-07-30 14:03:59	Jeremy Stanley	bug			added subscriber Neutron Core Security reviewers
2018-08-04 01:15:11	Jeremy Stanley	description	This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. * Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone. 3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin after setting "create_trunk" with the "!" rule. * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project demo test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/	* Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone. 3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin after setting "create_trunk" with the "!" rule. * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project demo test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/
2018-08-04 01:15:19	Jeremy Stanley	information type	Private Security	Public Security
2018-08-07 07:40:33	Bence Romsics	bug			added subscriber Bence Romsics
2018-08-30 20:03:24	OpenStack Infra	neutron: status	New	In Progress
2018-08-30 20:03:24	OpenStack Infra	neutron: assignee		Mykola Yakovliev (vegasq)
2020-09-03 11:27:06	Slawek Kaplonski	neutron: status	In Progress	Confirmed
2021-08-05 17:43:08	Jeremy Stanley	ossa: status	Incomplete	Won't Fix
2021-08-05 17:45:58	Jeremy Stanley	tags		security
2021-08-05 17:47:11	Jeremy Stanley	information type	Public Security	Public