python-cinderclient

cinder backup-list is always listing all tenants's bug for admin in V1 api

Bug #1514396 reported by Cyril Feraudet on 2015-11-09

This bug affects 2 people

	Status	Importance	Assigned to
OpenStack Security Advisory	Won't Fix	Undecided	Unassigned
ospurge	Invalid	Undecided	Unassigned
python-cinderclient	Fix Released	Undecided	Unassigned

Bug Description

https://bugs.launchpad.net/python-cinderclient/+bug/1422046 has been fixed for V2 only

This is a security issue cause it leads to deleting all production backups when logged as admin

Tags:

Cyril Feraudet (feraudet) on 2015-11-09

information type:

Private Security → Public Security

Yves-Gwenael Bourhis (yves-gwenael-bourhis) on 2015-11-09

Changed in ospurge:
status:	New → Confirmed
Changed in python-cinderclient:
status:	New → Confirmed

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-11-09:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-11-09:

While I agree there is a non-negligible risk presented by this behavior, I don't see how a malicious actor could use this flaw to their advantage. As such, it doesn't seem like something for which the OpenStack Vulnerability Management Team would issue an official security advisory.

Yves-Gwenael Bourhis (yves-gwenael-bourhis) on 2015-11-10

information type:	Public Security → Public
tags:	added: security

Revision history for this message

Yves-Gwenael Bourhis (yves-gwenael-bourhis) wrote on 2015-11-10:

Just a class D issue: https://security.openstack.org/vmt-process.html#incident-report-taxonomy
Sorry for the noise

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-11-10:

As with related bug 1422046, I'm similarly triaging this as a security hardening opportunity (class D in our taxonomy https://security.openstack.org/vmt-process.html#incident-report-taxonomy ).

Changed in ossa:
status:	Incomplete → Won't Fix

Revision history for this message

Sean McGinnis (sean-mcginnis) wrote on 2015-12-10:

As part of the v2 only fix mentioned, the service side in cinder was changed to only return the admin's own backups.

https://review.openstack.org/#/c/207451/

This effectively resolved this bug as it is no longer a risk that an admin could accidentally get and delete all tenant's backups.

Without a change to the v1 support of the client, the admin no longer has the ability to get all backups in the system. As v1 has been deprecated for some time and we are trying to get folks to move over to v2 this is fine. This should encourage admins that do need to get all backups to use the v2 API.

Changed in python-cinderclient:
status:	Confirmed → Fix Released

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-11-13:

As far as i can tell, this was fixed by bug 1422046, and new versions of cinderclient should fix this in ospurge

Changed in ospurge:
status:	Confirmed → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.