2016-01-14 19:49:30 |
Brant Knudson |
bug |
|
|
added bug |
2016-01-14 20:24:54 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
2016-01-14 20:24:59 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
2016-01-14 20:25:14 |
Tristan Cacqueray |
description |
XML parsing is surprisingly difficult and fraught with danger, for example entity expansion makes it easy to cause a lot of memory to be used and therefore crash your system. keystoneclient is using etree parsing which has these potential issues, although in the case of keystoneclient it's the response from the IdP which I think is generally trusted.
This is in python-keystoneclient/keystoneclient/contrib/auth/v3/saml2.py
There's a defusedxml parser that has protections against these attacks and should therefore be used instead if possible - https://pypi.python.org/pypi/defusedxml - the docs for this page also include some examples of other possible attacks.
This was caught by bandit 0.17.0.
I'm going to start this out as private security so we can think about it some more before it goes public, even though it's probably not something that needs an issue since I think the source is generally trusted. If you can't trust your IdP then who can you trust? |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
XML parsing is surprisingly difficult and fraught with danger, for example entity expansion makes it easy to cause a lot of memory to be used and therefore crash your system. keystoneclient is using etree parsing which has these potential issues, although in the case of keystoneclient it's the response from the IdP which I think is generally trusted.
This is in python-keystoneclient/keystoneclient/contrib/auth/v3/saml2.py
There's a defusedxml parser that has protections against these attacks and should therefore be used instead if possible - https://pypi.python.org/pypi/defusedxml - the docs for this page also include some examples of other possible attacks.
This was caught by bandit 0.17.0.
I'm going to start this out as private security so we can think about it some more before it goes public, even though it's probably not something that needs an issue since I think the source is generally trusted. If you can't trust your IdP then who can you trust? |
|
2016-01-14 21:35:37 |
Brant Knudson |
bug task added |
|
keystoneauth |
|
2016-01-19 16:45:07 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
XML parsing is surprisingly difficult and fraught with danger, for example entity expansion makes it easy to cause a lot of memory to be used and therefore crash your system. keystoneclient is using etree parsing which has these potential issues, although in the case of keystoneclient it's the response from the IdP which I think is generally trusted.
This is in python-keystoneclient/keystoneclient/contrib/auth/v3/saml2.py
There's a defusedxml parser that has protections against these attacks and should therefore be used instead if possible - https://pypi.python.org/pypi/defusedxml - the docs for this page also include some examples of other possible attacks.
This was caught by bandit 0.17.0.
I'm going to start this out as private security so we can think about it some more before it goes public, even though it's probably not something that needs an issue since I think the source is generally trusted. If you can't trust your IdP then who can you trust? |
XML parsing is surprisingly difficult and fraught with danger, for example entity expansion makes it easy to cause a lot of memory to be used and therefore crash your system. keystoneclient is using etree parsing which has these potential issues, although in the case of keystoneclient it's the response from the IdP which I think is generally trusted.
This is in python-keystoneclient/keystoneclient/contrib/auth/v3/saml2.py
There's a defusedxml parser that has protections against these attacks and should therefore be used instead if possible - https://pypi.python.org/pypi/defusedxml - the docs for this page also include some examples of other possible attacks.
This was caught by bandit 0.17.0.
I'm going to start this out as private security so we can think about it some more before it goes public, even though it's probably not something that needs an issue since I think the source is generally trusted. If you can't trust your IdP then who can you trust? |
|
2016-01-19 16:45:12 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Won't Fix |
|
2016-01-19 16:45:16 |
Tristan Cacqueray |
information type |
Private Security |
Public |
|
2016-01-19 16:45:21 |
Tristan Cacqueray |
tags |
bandit |
bandit security |
|
2016-02-02 21:19:05 |
Morgan Fainberg |
keystoneauth: status |
New |
Triaged |
|
2016-02-02 21:19:08 |
Morgan Fainberg |
keystoneauth: importance |
Undecided |
Medium |
|
2016-03-02 20:57:18 |
Morgan Fainberg |
python-keystoneclient: status |
New |
Won't Fix |
|
2016-03-03 07:17:59 |
Morgan Fainberg |
summary |
keystoneclient should not use etree XML parsing |
keystoneauth auth plugins should not use etree XML parsing |
|
2018-01-23 10:55:37 |
OpenStack Infra |
keystoneauth: status |
Triaged |
In Progress |
|
2018-01-23 10:55:37 |
OpenStack Infra |
keystoneauth: assignee |
|
Kairat Kushaev (kkushaev) |
|
2018-04-16 17:27:29 |
OpenStack Infra |
keystoneauth: assignee |
Kairat Kushaev (kkushaev) |
Pavlo Shchelokovskyy (pshchelo) |
|
2018-10-24 19:05:40 |
Morgan Fainberg |
keystoneauth: status |
In Progress |
Triaged |
|
2018-10-24 19:06:06 |
Morgan Fainberg |
keystoneauth: assignee |
Pavlo Shchelokovskyy (pshchelo) |
|
|