| 2015-10-29 14:43:52 |
Samuel Matzek |
bug |
|
|
added bug |
| 2015-10-29 14:44:33 |
Samuel Matzek |
bug |
|
|
added subscriber Jay Bryant |
| 2015-10-29 14:45:04 |
Samuel Matzek |
bug |
|
|
added subscriber Matthew Edmonds |
| 2015-10-29 15:57:15 |
Grant Murphy |
bug task added |
|
ossa |
|
| 2015-10-29 15:57:21 |
Grant Murphy |
ossa: status |
New |
Incomplete |
|
| 2015-10-29 15:57:42 |
Grant Murphy |
bug |
|
|
added subscriber Cinder Core security contacts |
| 2015-10-29 15:58:33 |
Grant Murphy |
description |
Cinder's cinder.context.get_admin_context is inadvertently elevating the thread to use an admin context and essentially discards the thread's user context for the remainder of the request.
This has security implications since any calls done after cinder.context.get_admin_context that obtain and use the thread's current context will be using an admin context instead of the user's context.
This has serviceability implications because every call to get_admin_context will switch the thread's context, which changes the request ID. This makes it very difficult or impossible to use the request ID in log entries to follow a request through a flow.
The root cause is that cinder.context.RequestContext class' __init__ is not passing overwrite=overwrite to the parent class as it should at [1].
I looked at Nova and it does not have this problem.
I looked at Neutron and its get_admin_context flow does not have this problem but the neutron.context.py get_admin_context_without_session method will have this same issue.
Those are the only other projects I checked.
I have not opened a bug against neutron or any other services since I am not sure on the procedures for security issues that hit multiple projects like this one.
Recreation code:
from cinder import context as cinder_context
from oslo_context import context
context.RequestContext()
print "Thread's context at start %s" % context.get_current().to_dict()
admin_cxt = context.get_admin_context()
print "Thread's context after oslo get_admin_context %s" % context.get_current().to_dict()
admin_cxt = cinder_context.get_admin_context()
print "Thread's context after cinder get_admin_context %s" % context.get_current().to_dict()
Produces output:
Thread's context at start {'domain': None, 'project_domain': None, 'auth_token': None, 'resource_uuid': None, 'is_admin': False, 'user': None, 'tenant': None, 'read_only': False, 'show_deleted': False, 'user_identity': '- - - - -', 'request_id': 'req-9e09cfa9-33de-4aee-ae19-caa2613b2fb2', 'user_domain': None}
Thread's context after oslo get_admin_context {'domain': None, 'project_domain': None, 'auth_token': None, 'resource_uuid': None, 'is_admin': False, 'user': None, 'tenant': None, 'read_only': False, 'show_deleted': False, 'user_identity': '- - - - -', 'request_id': 'req-9e09cfa9-33de-4aee-ae19-caa2613b2fb2', 'user_domain': None}
Thread's context after cinder get_admin_context {'domain': None, 'project_name': None, 'project_domain': None, 'timestamp': '2015-10-29T14:26:19.880000', 'auth_token': None, 'remote_address': None, 'quota_class': None, 'resource_uuid': None, 'is_admin': True, 'user': None, 'service_catalog': [], 'tenant': None, 'read_only': False, 'project_id': None, 'user_id': None, 'show_deleted': False, 'roles': ['admin'], 'user_identity': '- - - - -', 'read_deleted': 'no', 'request_id': 'req-585989b8-d431-4352-93f2-f313147fa715', 'user_domain': None}
[1] https://github.com/openstack/cinder/blob/master/cinder/context.py#L73 |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Cinder's cinder.context.get_admin_context is inadvertently elevating the thread to use an admin context and essentially discards the thread's user context for the remainder of the request.
This has security implications since any calls done after cinder.context.get_admin_context that obtain and use the thread's current context will be using an admin context instead of the user's context.
This has serviceability implications because every call to get_admin_context will switch the thread's context, which changes the request ID. This makes it very difficult or impossible to use the request ID in log entries to follow a request through a flow.
The root cause is that cinder.context.RequestContext class' __init__ is not passing overwrite=overwrite to the parent class as it should at [1].
I looked at Nova and it does not have this problem.
I looked at Neutron and its get_admin_context flow does not have this problem but the neutron.context.py get_admin_context_without_session method will have this same issue.
Those are the only other projects I checked.
I have not opened a bug against neutron or any other services since I am not sure on the procedures for security issues that hit multiple projects like this one.
Recreation code:
from cinder import context as cinder_context
from oslo_context import context
context.RequestContext()
print "Thread's context at start %s" % context.get_current().to_dict()
admin_cxt = context.get_admin_context()
print "Thread's context after oslo get_admin_context %s" % context.get_current().to_dict()
admin_cxt = cinder_context.get_admin_context()
print "Thread's context after cinder get_admin_context %s" % context.get_current().to_dict()
Produces output:
Thread's context at start {'domain': None, 'project_domain': None, 'auth_token': None, 'resource_uuid': None, 'is_admin': False, 'user': None, 'tenant': None, 'read_only': False, 'show_deleted': False, 'user_identity': '- - - - -', 'request_id': 'req-9e09cfa9-33de-4aee-ae19-caa2613b2fb2', 'user_domain': None}
Thread's context after oslo get_admin_context {'domain': None, 'project_domain': None, 'auth_token': None, 'resource_uuid': None, 'is_admin': False, 'user': None, 'tenant': None, 'read_only': False, 'show_deleted': False, 'user_identity': '- - - - -', 'request_id': 'req-9e09cfa9-33de-4aee-ae19-caa2613b2fb2', 'user_domain': None}
Thread's context after cinder get_admin_context {'domain': None, 'project_name': None, 'project_domain': None, 'timestamp': '2015-10-29T14:26:19.880000', 'auth_token': None, 'remote_address': None, 'quota_class': None, 'resource_uuid': None, 'is_admin': True, 'user': None, 'service_catalog': [], 'tenant': None, 'read_only': False, 'project_id': None, 'user_id': None, 'show_deleted': False, 'roles': ['admin'], 'user_identity': '- - - - -', 'read_deleted': 'no', 'request_id': 'req-585989b8-d431-4352-93f2-f313147fa715', 'user_domain': None}
[1] https://github.com/openstack/cinder/blob/master/cinder/context.py#L73 |
|
| 2015-10-29 18:07:31 |
Samuel Matzek |
bug |
|
|
added subscriber Sridhar Venkat |
| 2015-10-29 18:10:01 |
Samuel Matzek |
bug |
|
|
added subscriber Gerald McBrearty |
| 2015-10-30 00:13:42 |
Matthew Edmonds |
bug task added |
|
neutron |
|
| 2015-10-30 00:30:02 |
Matthew Edmonds |
bug |
|
|
added subscriber Neutron Core Security reviewers |
| 2015-10-30 01:03:10 |
Matthew Edmonds |
bug task added |
|
sahara |
|
| 2015-10-30 01:04:28 |
Matthew Edmonds |
bug |
|
|
added subscriber Sahara Core security contacts |
| 2015-10-30 01:07:28 |
Kevin Benton |
bug task deleted |
neutron |
|
|
| 2015-10-31 23:20:27 |
Matthew Edmonds |
tags |
|
liberty-backport-potential |
|
| 2015-10-31 23:20:47 |
Matthew Edmonds |
tags |
liberty-backport-potential |
kilo-backport-potential liberty-backport-potential |
|
| 2015-11-17 20:34:56 |
Samuel Matzek |
bug |
|
|
added subscriber Brant Knudson |
| 2015-12-15 16:30:57 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Won't Fix |
|
| 2015-12-15 16:31:06 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Cinder's cinder.context.get_admin_context is inadvertently elevating the thread to use an admin context and essentially discards the thread's user context for the remainder of the request.
This has security implications since any calls done after cinder.context.get_admin_context that obtain and use the thread's current context will be using an admin context instead of the user's context.
This has serviceability implications because every call to get_admin_context will switch the thread's context, which changes the request ID. This makes it very difficult or impossible to use the request ID in log entries to follow a request through a flow.
The root cause is that cinder.context.RequestContext class' __init__ is not passing overwrite=overwrite to the parent class as it should at [1].
I looked at Nova and it does not have this problem.
I looked at Neutron and its get_admin_context flow does not have this problem but the neutron.context.py get_admin_context_without_session method will have this same issue.
Those are the only other projects I checked.
I have not opened a bug against neutron or any other services since I am not sure on the procedures for security issues that hit multiple projects like this one.
Recreation code:
from cinder import context as cinder_context
from oslo_context import context
context.RequestContext()
print "Thread's context at start %s" % context.get_current().to_dict()
admin_cxt = context.get_admin_context()
print "Thread's context after oslo get_admin_context %s" % context.get_current().to_dict()
admin_cxt = cinder_context.get_admin_context()
print "Thread's context after cinder get_admin_context %s" % context.get_current().to_dict()
Produces output:
Thread's context at start {'domain': None, 'project_domain': None, 'auth_token': None, 'resource_uuid': None, 'is_admin': False, 'user': None, 'tenant': None, 'read_only': False, 'show_deleted': False, 'user_identity': '- - - - -', 'request_id': 'req-9e09cfa9-33de-4aee-ae19-caa2613b2fb2', 'user_domain': None}
Thread's context after oslo get_admin_context {'domain': None, 'project_domain': None, 'auth_token': None, 'resource_uuid': None, 'is_admin': False, 'user': None, 'tenant': None, 'read_only': False, 'show_deleted': False, 'user_identity': '- - - - -', 'request_id': 'req-9e09cfa9-33de-4aee-ae19-caa2613b2fb2', 'user_domain': None}
Thread's context after cinder get_admin_context {'domain': None, 'project_name': None, 'project_domain': None, 'timestamp': '2015-10-29T14:26:19.880000', 'auth_token': None, 'remote_address': None, 'quota_class': None, 'resource_uuid': None, 'is_admin': True, 'user': None, 'service_catalog': [], 'tenant': None, 'read_only': False, 'project_id': None, 'user_id': None, 'show_deleted': False, 'roles': ['admin'], 'user_identity': '- - - - -', 'read_deleted': 'no', 'request_id': 'req-585989b8-d431-4352-93f2-f313147fa715', 'user_domain': None}
[1] https://github.com/openstack/cinder/blob/master/cinder/context.py#L73 |
Cinder's cinder.context.get_admin_context is inadvertently elevating the thread to use an admin context and essentially discards the thread's user context for the remainder of the request.
This has security implications since any calls done after cinder.context.get_admin_context that obtain and use the thread's current context will be using an admin context instead of the user's context.
This has serviceability implications because every call to get_admin_context will switch the thread's context, which changes the request ID. This makes it very difficult or impossible to use the request ID in log entries to follow a request through a flow.
The root cause is that cinder.context.RequestContext class' __init__ is not passing overwrite=overwrite to the parent class as it should at [1].
I looked at Nova and it does not have this problem.
I looked at Neutron and its get_admin_context flow does not have this problem but the neutron.context.py get_admin_context_without_session method will have this same issue.
Those are the only other projects I checked.
I have not opened a bug against neutron or any other services since I am not sure on the procedures for security issues that hit multiple projects like this one.
Recreation code:
from cinder import context as cinder_context
from oslo_context import context
context.RequestContext()
print "Thread's context at start %s" % context.get_current().to_dict()
admin_cxt = context.get_admin_context()
print "Thread's context after oslo get_admin_context %s" % context.get_current().to_dict()
admin_cxt = cinder_context.get_admin_context()
print "Thread's context after cinder get_admin_context %s" % context.get_current().to_dict()
Produces output:
Thread's context at start {'domain': None, 'project_domain': None, 'auth_token': None, 'resource_uuid': None, 'is_admin': False, 'user': None, 'tenant': None, 'read_only': False, 'show_deleted': False, 'user_identity': '- - - - -', 'request_id': 'req-9e09cfa9-33de-4aee-ae19-caa2613b2fb2', 'user_domain': None}
Thread's context after oslo get_admin_context {'domain': None, 'project_domain': None, 'auth_token': None, 'resource_uuid': None, 'is_admin': False, 'user': None, 'tenant': None, 'read_only': False, 'show_deleted': False, 'user_identity': '- - - - -', 'request_id': 'req-9e09cfa9-33de-4aee-ae19-caa2613b2fb2', 'user_domain': None}
Thread's context after cinder get_admin_context {'domain': None, 'project_name': None, 'project_domain': None, 'timestamp': '2015-10-29T14:26:19.880000', 'auth_token': None, 'remote_address': None, 'quota_class': None, 'resource_uuid': None, 'is_admin': True, 'user': None, 'service_catalog': [], 'tenant': None, 'read_only': False, 'project_id': None, 'user_id': None, 'show_deleted': False, 'roles': ['admin'], 'user_identity': '- - - - -', 'read_deleted': 'no', 'request_id': 'req-585989b8-d431-4352-93f2-f313147fa715', 'user_domain': None}
[1] https://github.com/openstack/cinder/blob/master/cinder/context.py#L73 |
|
| 2015-12-15 16:31:12 |
Tristan Cacqueray |
information type |
Private Security |
Public |
|
| 2015-12-16 21:18:53 |
OpenStack Infra |
cinder: status |
New |
In Progress |
|
| 2015-12-16 21:18:53 |
OpenStack Infra |
cinder: assignee |
|
Samuel Matzek (smatzek) |
|
| 2016-03-14 10:58:41 |
Sergey Reshetnyak |
sahara: status |
New |
Incomplete |
|
| 2016-03-14 17:56:02 |
Matthew Edmonds |
sahara: status |
Incomplete |
New |
|
| 2016-03-14 18:02:49 |
Matthew Edmonds |
cinder: status |
In Progress |
Fix Committed |
|
| 2016-03-15 05:22:36 |
Vitalii Gridnev |
sahara: importance |
Undecided |
Low |
|
| 2016-03-15 05:22:41 |
Vitalii Gridnev |
sahara: status |
New |
In Progress |
|
| 2016-03-15 20:57:43 |
Vitalii Gridnev |
sahara: milestone |
|
mitaka-rc1 |
|
| 2016-03-15 21:48:24 |
OpenStack Infra |
sahara: status |
In Progress |
Fix Released |
|
| 2016-03-22 03:08:26 |
Sean McGinnis |
cinder: status |
Fix Committed |
Fix Released |
|
