[Openstack-security] [Bug 1290537] Re: RBAC policy not enforced when adding a security group rule using EC2 API (CVE-2014-0167)

OpenStack Infra 1290537 at bugs.launchpad.net
Wed Apr 9 17:36:32 UTC 2014 

Reviewed:  https://review.openstack.org/86358
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=d4056f8723cc6cefb28ff6e5a7c0df5ea77f82ef
Submitter: Jenkins
Branch:    master

commit d4056f8723cc6cefb28ff6e5a7c0df5ea77f82ef
Author: Andrew Laski <andrew.laski at rackspace.com>
Date:   Thu Mar 20 19:04:09 2014 -0400

    Add RBAC policy for ec2 API security groups calls
    
    The revoke_security_group_ingress, revoke_security_group_ingress, and
    delete_security_group calls in the ec2 API were not restricted by policy
    checks.  This prevented a deployer from restricting their usage via
    roles or other checks.  Checks have been added for these calls.
    
    Closes-Bug: #1290537
    Change-Id: I4bf681bedd68ed2216b429d34db735823e0a6189


** Changed in: nova
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1290537

Title:
  RBAC policy not enforced when adding a security group rule using EC2
  API (CVE-2014-0167)

Status in OpenStack Compute (Nova):
  Fix Committed
Status in OpenStack Compute (nova) havana series:
  New
Status in OpenStack Security Advisories:
  Fix Committed

Bug description:
  
  It seems that when using the EC2 API, the security group implementation does not enforce RBAC policy for the add_rules, remove_rules, destroy and other functions (in compute/api.py). Only the add_to_instance and remove_from_instance functions enforce RBAC. This seems like an oversight for obvious reasons.

  The Nova API security group implementation does enforce RBAC on these
  functions.

  In addition, the add_to_instance and remove_from _instance functions
  which are wrapped in RBAC verification use the
  "compute:security_groups" action which is not even listed in the
  default /etc/nova/policy.json. The latter is confusing to users.

  This is the case on Grizlly and at first glance, it doesn't look like
  this has changed in Havana.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1290537/+subscriptions

More information about the Openstack-security mailing list