[Openstack-security] [Bug 1341954] Re: suds client subject to cache poisoning by local attacker

OpenStack Infra 1341954 at bugs.launchpad.net
Wed Sep 10 10:48:07 UTC 2014 

Reviewed:  https://review.openstack.org/118565
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=3c3530db2445eca9be583715ff689bd746e6d387
Submitter: Jenkins
Branch:    stable/havana

commit 3c3530db2445eca9be583715ff689bd746e6d387
Author: Vipin Balachandran <vbala at vmware.com>
Date:   Fri Aug 22 10:19:29 2014 +0530

    VMware: Disable suds caching
    
    The default cache implementation in suds store pickled objects in a
    predictable path in /tmp which could lead to attacks. This patch
    turns off suds caching to address this security issue.
    
    Conflicts:
            cinder/volume/drivers/vmware/pbm.py
    
    Change-Id: I7daaa25a0677004e03896298e9c3026d5c33c6ac
    Closes-Bug: #1341954
    (cherry picked from commit 6a41fe9c5c98a14a355fa81b41aae2c4b0ce0a7b)


** Tags added: in-stable-havana

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1341954

Title:
  suds client subject to cache poisoning by local attacker

Status in Cinder:
  Fix Released
Status in Gantt:
  New
Status in OpenStack Compute (Nova):
  Confirmed
Status in Oslo VMware library for OpenStack projects:
  Fix Released
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  
  The suds project appears to be largely unmaintained upstream. The default cache implementation stores pickled objects to a predictable path in /tmp. This can be used by a local attacker to redirect SOAP requests via symlinks or run a privilege escalation / code execution attack via a pickle exploit. 

  cinder/requirements.txt:suds>=0.4
  gantt/requirements.txt:suds>=0.4
  nova/requirements.txt:suds>=0.4
  oslo.vmware/requirements.txt:suds>=0.4

  
  The details are available here - 
  https://bugzilla.redhat.com/show_bug.cgi?id=978696
  (CVE-2013-2217)

  Although this is an unlikely attack vector steps should be taken to
  prevent this behaviour. Potential ways to fix this are by explicitly
  setting the cache location to a directory created via
  tempfile.mkdtemp(), disabling cache client.set_options(cache=None), or
  using a custom cache implementation that doesn't load / store pickled
  objects from an insecure location.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1341954/+subscriptions

More information about the Openstack-security mailing list