2024-01-04 19:37:53 |
Jeremy Stanley |
bug |
|
|
added bug |
2024-01-04 19:37:53 |
Jeremy Stanley |
attachment added |
|
leaking murano account and password https://bugs.launchpad.net/bugs/2048114/+attachment/5736495/+files/image.png |
|
2024-01-04 19:38:47 |
Jeremy Stanley |
attachment added |
|
logining with leakd murano credentials https://bugs.launchpad.net/murano/+bug/2048114/+attachment/5736496/+files/image.png |
|
2024-01-04 19:39:04 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2024-01-04 19:39:13 |
Jeremy Stanley |
ossa: status |
New |
Won't Fix |
|
2024-01-04 19:39:50 |
Jeremy Stanley |
bug |
|
|
added subscriber Murano Drivers |
2024-01-05 16:00:34 |
Jeremy Stanley |
bug |
|
|
added subscriber kirualawliet |
2024-02-22 02:35:48 |
kirualawliet |
attachment added |
|
app_mysql_murano_leak_info_credit.zip https://bugs.launchpad.net/murano/+bug/2048114/+attachment/5748292/+files/app_mysql_murano_leak_info_credit.zip |
|
2024-02-22 04:15:26 |
Andy Botting |
information type |
Private Security |
Private |
|
2024-02-22 04:15:39 |
Andy Botting |
information type |
Private |
Private Security |
|
2024-02-22 14:31:23 |
Jeremy Stanley |
bug |
|
|
added subscriber Jake Yip |
2024-03-06 21:20:52 |
Jeremy Stanley |
bug |
|
|
added subscriber Jay Faulkner |
2024-03-06 21:21:08 |
Jeremy Stanley |
bug |
|
|
added subscriber Dan Smith |
2024-03-06 23:42:18 |
Jeremy Stanley |
bug |
|
|
added subscriber Clark Boylan |
2024-03-06 23:57:33 |
Jeremy Stanley |
bug |
|
|
added subscriber Takashi Kajinami |
2024-03-06 23:57:52 |
Jeremy Stanley |
bug |
|
|
added subscriber axel vanzaghi |
2024-03-07 13:10:40 |
Takashi Kajinami |
attachment added |
|
Example heat template with yaql format function https://bugs.launchpad.net/murano/+bug/2048114/+attachment/5753786/+files/yaqltest.yaml |
|
2024-03-07 13:11:36 |
Takashi Kajinami |
attachment added |
|
Example heat template with yaql format function https://bugs.launchpad.net/murano/+bug/2048114/+attachment/5753787/+files/yaqltest.yaml |
|
2024-03-07 13:12:04 |
Takashi Kajinami |
attachment added |
|
Result of openstack resource show which contains format function result https://bugs.launchpad.net/murano/+bug/2048114/+attachment/5753788/+files/console.log |
|
2024-03-07 15:15:01 |
Jeremy Stanley |
bug task added |
|
yaql |
|
2024-03-07 15:15:23 |
Jeremy Stanley |
bug task added |
|
ossn |
|
2024-03-07 15:15:31 |
Jeremy Stanley |
ossn: status |
New |
Confirmed |
|
2024-03-07 15:15:38 |
Jeremy Stanley |
ossn: importance |
Undecided |
High |
|
2024-03-07 15:15:43 |
Jeremy Stanley |
ossn: assignee |
|
Jeremy Stanley (fungi) |
|
2024-03-08 19:32:14 |
Jeremy Stanley |
bug |
|
|
added subscriber James Slagle |
2024-03-09 05:53:28 |
Takashi Kajinami |
attachment added |
|
bug-2048114.patch https://bugs.launchpad.net/murano/+bug/2048114/+attachment/5754210/+files/bug-2048114.patch |
|
2024-03-11 14:25:32 |
James Slagle |
bug |
|
|
added subscriber Rabi Mishra |
2024-03-12 09:43:23 |
Takashi Kajinami |
yaql: importance |
Undecided |
High |
|
2024-03-12 14:47:53 |
Takashi Kajinami |
attachment added |
|
bug-2048114-v2.patch https://bugs.launchpad.net/murano/+bug/2048114/+attachment/5755306/+files/bug-2048114-v2.patch |
|
2024-03-13 06:03:30 |
Takashi Kajinami |
yaql: assignee |
|
Takashi Kajinami (kajinamit) |
|
2024-03-14 15:22:33 |
Jeremy Stanley |
information type |
Private Security |
Public Security |
|
2024-03-14 15:24:09 |
Takashi Kajinami |
yaql: importance |
High |
Critical |
|
2024-03-14 15:24:36 |
OpenStack Infra |
yaql: status |
New |
In Progress |
|
2024-03-14 15:55:27 |
OpenStack Infra |
yaql: status |
In Progress |
Fix Released |
|
2024-03-14 16:46:29 |
Jeremy Stanley |
summary |
OpenStack Murano Component Information Leakage |
Unsafe Environment Handling in MuranoPL |
|
2024-03-14 21:01:09 |
Jeremy Stanley |
ossn: status |
Confirmed |
Fix Released |
|
2024-03-18 13:54:47 |
Jeremy Stanley |
description |
Members of the VMT received the following report by E-mail from "kirualawliet l":
Title: OpenStack Murano Component Information Leakage
Reporter: lawliet and edwardpeng(@edwardzpeng) from Sangfor Security Research Team
Products: OpenStack Murano Component
Affects: All versions of Murano Component
Description:
The Sangfor Security Research Team has identified a critical security vulnerability in the Murano component of OpenStack. This vulnerability allows ordinary users capable of importing and deploying app packages to access sensitive information within OpenStack services. Specifically, through this exploit, unauthorized users can obtain Murano service account credentials, potentially escalating their privileges to an administrator level. Subsequently, unauthorized users can gain complete control over various resources, including user roles, hosts, and networks.
The vulnerability stems from the Murano service's reliance on MuranoPL, an extension of the YAQL language. The YAQL library includes a 'format' function that mirrors Python's 'str.format' method, enabling attribute access.
```python
# code snippet from yaql-2.0.0\standard_library\strings.py:569
@specs.parameter('__format_string', yaqltypes.String())
@specs.extension_method
def format_(__format_string, *args, **kwargs):
...
return __format_string.format(*args, **kwargs)
```
An example of this vulnerability includes:
```
>>> secret_key = "abcd1234"
>>> class Test:
... def __init__(self):
... pass
...
>>> t = Test()
>>> # Exploiting the vulnerability to expose sensitive data:
>>> malicious_format_string = '{0.__class__.__init__.__globals__[secret_key]}'
>>> formatted_output = malicious_format_string.format(t)
>>> print(formatted_output) # This line reveals the value of secret_key
'abcd1234'
```
This exploit allows access to Murano service's oslo configuration storage, thereby exposing critical Murano service account credentials, granting unauthorized users administrative privileges.
We believe no deployment mode is immune to this vulnerability. To ensure system security, we recommend immediate attention and remediation of this vulnerability within the OpenStack Murano component. Our team stands ready to offer assistance and collaboration in addressing and resolving this issue promptly.
Thank you for your prompt attention to this matter.
Sincerely,
kirualawliet
Sangfor Security Research Team |
Members of the VMT received the following report by E-mail from "kirualawliet l":
Title: OpenStack Murano Component Information Leakage
Reporter: lawliet and Zhiniang Peng (@edwardzpeng) from Sangfor Security Research Team
Products: OpenStack Murano Component
Affects: All versions of Murano Component
Description:
The Sangfor Security Research Team has identified a critical security vulnerability in the Murano component of OpenStack. This vulnerability allows ordinary users capable of importing and deploying app packages to access sensitive information within OpenStack services. Specifically, through this exploit, unauthorized users can obtain Murano service account credentials, potentially escalating their privileges to an administrator level. Subsequently, unauthorized users can gain complete control over various resources, including user roles, hosts, and networks.
The vulnerability stems from the Murano service's reliance on MuranoPL, an extension of the YAQL language. The YAQL library includes a 'format' function that mirrors Python's 'str.format' method, enabling attribute access.
```python
# code snippet from yaql-2.0.0\standard_library\strings.py:569
@specs.parameter('__format_string', yaqltypes.String())
@specs.extension_method
def format_(__format_string, *args, **kwargs):
...
return __format_string.format(*args, **kwargs)
```
An example of this vulnerability includes:
```
>>> secret_key = "abcd1234"
>>> class Test:
... def __init__(self):
... pass
...
>>> t = Test()
>>> # Exploiting the vulnerability to expose sensitive data:
>>> malicious_format_string = '{0.__class__.__init__.__globals__[secret_key]}'
>>> formatted_output = malicious_format_string.format(t)
>>> print(formatted_output) # This line reveals the value of secret_key
'abcd1234'
```
This exploit allows access to Murano service's oslo configuration storage, thereby exposing critical Murano service account credentials, granting unauthorized users administrative privileges.
We believe no deployment mode is immune to this vulnerability. To ensure system security, we recommend immediate attention and remediation of this vulnerability within the OpenStack Murano component. Our team stands ready to offer assistance and collaboration in addressing and resolving this issue promptly.
Thank you for your prompt attention to this matter.
Sincerely,
kirualawliet
Sangfor Security Research Team |
|
2024-03-18 14:09:50 |
Jeremy Stanley |
cve linked |
|
2024-29156 |
|