[OSSA 2014-007] Keystone middleware may confuse contexts (CVE-2014-0105)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Fix Released
|
Critical
|
Tristan Cacqueray | ||
python-keystoneclient |
Fix Released
|
Critical
|
Dolph Mathews |
Bug Description
tl;dr: Occasionally a request from a regular user appears to Glance-registry as an admin user:
We have a server with 12 glance-registry processes running, with auth_token middleware handling authentication.
If I run a python script that sets up Glanceclient:
glance = glanceclient.
and makes the following call over and over:
glance.
Most calls 404 because the calling tenant doesn't have access to the image. Eventually though, an image get request will succeed.
When this happens, glance-registry logs something like:
INFO glance.
User 2d474f5d54e24a5
The reverse of this also happens. Occasionally a request from ceilometer will assume the identity of the user in my script. Glance-registry logs the request as if it had come from my user, and denies the image GET because my user does not have the appropriate permission for the image ceilometer was trying to query.
If I comment out the "memcached_servers" line from our log file, the problem goes away. This makes me suspect that something is going on in auth_token middleware. When I watch the memcache entry for the token used by my script, the token data never appears to change.
What on earth is going on here? :)
CVE References
Changed in python-keystoneclient: | |
importance: | Undecided → Critical |
Changed in python-keystoneclient: | |
assignee: | nobody → Dolph Mathews (dolph) |
Changed in ossa: | |
status: | Incomplete → Confirmed |
summary: |
- Keystone middleware may confuse contexts + Keystone middleware may confuse contexts (CVE-2014-0105) |
Changed in glance: | |
status: | Invalid → Confirmed |
no longer affects: | ceilometer |
no longer affects: | glance |
no longer affects: | swift |
Changed in python-keystoneclient: | |
status: | In Progress → Triaged |
status: | Triaged → In Progress |
Changed in ossa: | |
status: | Triaged → In Progress |
Changed in python-keystoneclient: | |
status: | Fix Committed → Fix Released |
information type: | Private Security → Public Security |
auth_token middleware thinks it is retrieving the user's token from memcache, but ends up returning the token data for the admin user:
2014-02-21 16:41:56.868 28193 DEBUG keystoneclient. middleware. auth_token [-] Returning cached token 46b4e15e0bf1bef 6655dbee7338679 72. Token data: 02-21T05: 41:51.816330' , u'expires': u'2014- 02-21T11: 41:51Z' , u'id': u'placeholder', u'tenant': {u'id': u'e4eee8dbc16a4 9dcbc76edac9667 4e96', u'enabled': True, u'description': None, u'name': u'admin'}}
{u'access': {u'token': {u'issued_at': u'2014-
46b4e15e0bf1bef 6655dbee7338679 72 is the hash of the user's PKI token. But the token data is from another user's token!