tripleo

tripleo-heat-templates: unsafe pipeline ordering of swift staticweb middleware

Bug #1494896 reported by James Slagle on 2015-09-11

262

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Emilien Macchi

Bug Description

Christian Schwede and Garth Mollett from Red Hat reported a
vulnerability in tripleo-heat-templates. When the staticweb middleware
is enabled, it is incorrectly configured before the keystone auth
middleware, reporting containers with enabled staticweb listings to
be empty and private while in fact being public accessible. A possible
unrecognized information leak might be the result. All setups configured
with staticweb middleware are affected.

CVE References

2015-5271

James Slagle (james-slagle) on 2015-09-11

Changed in tripleo:
status:	New → Confirmed
summary:	- openstack-tripleo-heat-templates: unsafe pipeline ordering of swift - staticweb middleware + tripleo-heat-templates: unsafe pipeline ordering of swift staticweb + middleware

Revision history for this message

Emilien Macchi (emilienm) wrote on 2015-09-11:

CVE-2015-5271_puppet-swift.patch Edit (1.3 KiB, text/plain)

In attachment, the patch to apply in master.

Revision history for this message

Dan Prince (dan-prince) wrote on 2015-09-11:

+2 patch looks good

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-09-11:

@Emilien, can we switch bug 1489749 to public now ?

Revision history for this message

Emilien Macchi (emilienm) wrote on 2015-09-14:

Since https://bugs.launchpad.net/swift/+bug/1489749 has nothing to do with puppet-swift anymore, I think we can switch it to public now.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-09-21:

Disclosure date is 2015-09-22.

Tristan Cacqueray (tristan-cacqueray) on 2015-09-22

information type:

Private Security → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-22: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/226541
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1730d95acdbee7c7bbcfe1eba8a48ef2b0cc1476
Submitter: Jenkins
Branch: master

commit 1730d95acdbee7c7bbcfe1eba8a48ef2b0cc1476
Author: Emilien Macchi <email address hidden>
Date: Fri Sep 11 14:51:02 2015 -0400

Put staticweb middleware after keystoneauth in proxy pipeline

    The staticweb middleware needs to be put after authentication
    middlewares to ensure correct functionality as documented in
    http://docs.openstack.org/developer/swift/middleware.html#staticweb

    Without this Swift sends a HTML response even if the request was done
    using a X-Auth-Token. This might result in a faulty handling of the response on
    the client side; for example, "swift stat containername" would report an empty,
    private container, while the container might actually be public readable with
    data stored in it.

    Closes-bug: 1494896
    Change-Id: Id48840e0041f8d272e08def292fbedfaf76bbfbb
    Co-Authored-By: Christian Schwede <email address hidden>

Changed in tripleo:
assignee:	nobody → Emilien Macchi (emilienm)
status:	Confirmed → In Progress
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-23: Related fix proposed to instack-undercloud (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/226907

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-23: Related fix merged to instack-undercloud (master)

Reviewed: https://review.openstack.org/226907
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=033f9d76b677eb2d01aa6c875365195019862aa0
Submitter: Jenkins
Branch: master

commit 033f9d76b677eb2d01aa6c875365195019862aa0
Author: Dan Prince <email address hidden>
Date: Wed Sep 23 14:03:48 2015 -0400

Put staticweb middleware after keystoneauth in proxy

    The staticweb middleware needs to be put after authentication
    middlewares to ensure correct functionality as documented in
    http://docs.openstack.org/developer/swift/middleware.html#staticweb

    Without this Swift sends a HTML response even if the request was done
    using a X-Auth-Token. This might result in a faulty handling of the
    response on the client side; for example, "swift stat containername"
    would report an empty, private container, while the container might
    actually be public readable with data stored in it.

Change-Id: Id008847376914752d7a30ce7bdd8c33a44bfb4fe
Related-bug: 1494896

Revision history for this message

Garth Mollett (gmollett) wrote on 2015-09-25:

This should probably be posted to oss-sec along with the CVE (CVE-2015-5271) it was assigned now the bug has been opened.

Steven Hardy (shardy) on 2016-04-21