From 1653626 at bugs.launchpad.net  Tue Jan  3 08:11:48 2017
From: 1653626 at bugs.launchpad.net (Vinita Deshpande)
Date: Tue, 03 Jan 2017 08:11:48 -0000
Subject: [Openstack-security] [Bug 1653626] [NEW] IBM User tries to
 communicate with CoprHD securely, but fails to do so
Message-ID: <20170103081148.1756.73437.malonedeb@chaenomeles.canonical.com>

Public bug reported:

An IBM user wanted to communicate with our backend CoprHD driver using certificate. But right now, there is not provision to do so. CoprHD should provide an option in config to perform all operations (REST API calls)
using certificate verification. Both CA signed and self-signed certificates should be supported.

** Affects: cinder
     Importance: Undecided
     Assignee: Vinita Deshpande (vinita)
         Status: In Progress


** Tags: coprhd security

** Changed in: cinder
       Status: New => In Progress

** Changed in: cinder
     Assignee: (unassigned) => Vinita Deshpande (vinita)

** Description changed:

- An IBM user wanted to communicate with our backend CoprHD driver using SSL. But right now, there is not provision to do so. CoprHD should provide an option in config to perform all operations (REST API calls)
+ An IBM user wanted to communicate with our backend CoprHD driver using certificate. But right now, there is not provision to do so. CoprHD should provide an option in config to perform all operations (REST API calls)
  using certificate verification. Both CA signed and self-signed certificates should be supported.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1653626

Title:
  IBM User tries to communicate with CoprHD securely, but fails to do so

Status in Cinder:
  In Progress

Bug description:
  An IBM user wanted to communicate with our backend CoprHD driver using certificate. But right now, there is not provision to do so. CoprHD should provide an option in config to perform all operations (REST API calls)
  using certificate verification. Both CA signed and self-signed certificates should be supported.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1653626/+subscriptions



From 1653626 at bugs.launchpad.net  Tue Jan  3 13:22:34 2017
From: 1653626 at bugs.launchpad.net (OpenStack Infra)
Date: Tue, 03 Jan 2017 13:22:34 -0000
Subject: [Openstack-security] [Bug 1653626] Fix proposed to cinder (master)
References: <20170103081148.1756.73437.malonedeb@chaenomeles.canonical.com>
Message-ID: <20170103132234.1540.99202.malone@chaenomeles.canonical.com>

Fix proposed to branch: master
Review: https://review.openstack.org/416236

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1653626

Title:
  IBM User tries to communicate with CoprHD securely, but fails to do so

Status in Cinder:
  In Progress

Bug description:
  An IBM user wanted to communicate with our backend CoprHD driver using certificate. But right now, there is not provision to do so. CoprHD should provide an option in config to perform all operations (REST API calls)
  using certificate verification. Both CA signed and self-signed certificates should be supported.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1653626/+subscriptions



From 1188189 at bugs.launchpad.net  Wed Jan 11 22:10:29 2017
From: 1188189 at bugs.launchpad.net (Xing Yang)
Date: Wed, 11 Jan 2017 22:10:29 -0000
Subject: [Openstack-security] [Bug 1188189] Re: Some server-side 'SSL'
 communication fails to check certificates (use of HTTPSConnection)
References: <20130606134102.14097.28030.malonedeb@soybean.canonical.com>
Message-ID: <20170111221029.26987.47713.malone@chaenomeles.canonical.com>

In Cinder, the following drivers are using six.moves.http_client, which
on python 2.7 I believe calls httplib:

   Location: cinder/cinder/volume/drivers/blockbridge.py:149
   Location: cinder/cinder/volume/drivers/cloudbyte/cloudbyte.py:116
   Location: cinder/cinder/volume/drivers/prophetstor/dplcommon.py:102
   Location: cinder/cinder/volume/drivers/prophetstor/dplcommon.py:124
   Location: cinder/cinder/volume/drivers/qnap.py:814
   Location: cinder/cinder/volume/drivers/zadara.py:238

See reference of six.moves.http_client calling httplib here:
https://pythonhosted.org/six/

Re-opening the bug.

** Changed in: cinder
       Status: Invalid => Triaged

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1188189

Title:
  Some server-side 'SSL' communication fails to check certificates (use
  of HTTPSConnection)

Status in Cinder:
  Triaged
Status in OpenStack Identity (keystone):
  Fix Released
Status in neutron:
  Fix Released
Status in oslo.vmware:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released
Status in python-keystoneclient:
  Fix Released
Status in OpenStack Object Storage (swift):
  Invalid

Bug description:
  Grant Murphy from Red Hat reported usage of httplib.HTTPSConnection
  objects. In Python 2.x those do not perform CA checks so client
  connections are vulnerable to MiM attacks.

  """
  The following files use httplib.HTTPSConnection :
  keystone/middleware/s3_token.py
  keystone/middleware/ec2_token.py
  keystone/common/bufferedhttp.py
  vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py

  AFAICT HTTPSConnection does not validate server certificates and
  should be avoided. This is fixed in Python 3, however in 2.X no
  validation occurs. I suspect this is also applicable to most OpenStack
  modules that make HTTPS client calls.

  Similar problems were found in ovirt:
  https://bugzilla.redhat.com/show_bug.cgi?id=851672 (CVE-2012-3533)

  With solutions for ovirt:
  http://gerrit.ovirt.org/#/c/7209/
  http://gerrit.ovirt.org/#/c/7249/
  """

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1188189/+subscriptions



From fungi at yuggoth.org  Wed Jan 11 22:53:07 2017
From: fungi at yuggoth.org (Jeremy Stanley)
Date: Wed, 11 Jan 2017 22:53:07 -0000
Subject: [Openstack-security] [Bug 1649446] Re: Non-Admin Access to
	Revocation Events
References: <20161213023643.29317.10154.malonedeb@wampee.canonical.com>
Message-ID: <20170111225307.21271.21705.malone@gac.canonical.com>

Consensus seems to be that this was intentional behavior, but worth
changing (as evidenced by a subsequent fix to master). Given that and
the lack of stable branch backports, I'm going to treat this as a
security hardening opportunity. If there is fierce disagreement favoring
backports and an official advisory, we can revisit the classification at
that time.

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Information type changed from Public Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1649446

Title:
  Non-Admin Access to Revocation Events

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  With the default Keystone policy any authed user can list all revocation events for the cluster:
  https://github.com/openstack/keystone/blob/master/etc/policy.json#L179

  This can be done by directly calling the API as such:
  curl -g -i -X GET http://localhost/identity/v3/OS-REVOKE/events -H "Accept: application/json" -H "X-Auth-Token: <non_admin_token_goes_here>"

  and this will provide you with a normal revocation event list (see
  attachment).

  This will allow a user to over time collect a list of user_ids and
  project_ids. The project_ids aren't particularly useful, but the
  user_ids can be used to lock people of of their accounts. Or if rate
  limiting is not setup (a bad idea), or somehow bypassed, would allow
  someone to brute force access to those ids.

  Knowing the ids is no worse than knowing the usernames, but as a non-
  admin you shouldn't have access to such a list anyway.

  It is also worth noting that OpenStack policy files are rife with
  these blank policy rules, not just Keystone. Some are safe and
  intended to be accessible by any authed user, others are checked at
  the code layer, but there may be other rules that are unsafe to expose
  to any authed user and as such should actually default to
  "rule:admin_required" or something other than blank.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1649446/+subscriptions



From morgan.fainberg at gmail.com  Thu Jan 12 19:16:38 2017
From: morgan.fainberg at gmail.com (Morgan Fainberg)
Date: Thu, 12 Jan 2017 19:16:38 -0000
Subject: [Openstack-security] [Bug 1656076] [NEW] The keystone server auth
 pluigin methods could mismatch user_id in auth_context
Message-ID: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>

*** This bug is a security vulnerability ***

Public security bug reported:

The keystone server blindly overwrites the auth_context.user_id in each
auth method that is run. This means that the last auth_method that is
run for a given authentication request dictates the user_id.

While this is not exploitable externally without misconfiguration of the
external plugin methods and supporting services, this is a bad state
that could relatively easily result in someone ending up authenticated
with the wrong user_id.

The simplest fix will be to have the for loop in the authentication
controller (that iterates over the methods) to verify the user_id does
not change between auth_methods executed.

https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

This has been marked as public security for hardening purposes, likely a
"Class D" https://security.openstack.org/vmt-process.html#incident-
report-taxonomy

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: authentication security

** Tags added: authentication security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth pluigin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  New

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From morgan.fainberg at gmail.com  Thu Jan 12 19:22:49 2017
From: morgan.fainberg at gmail.com (Morgan Fainberg)
Date: Thu, 12 Jan 2017 19:22:49 -0000
Subject: [Openstack-security] [Bug 1656076] Re: The keystone server auth
 pluigin methods could mismatch user_id in auth_context
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170112192249.20325.41981.malone@wampee.canonical.com>

This probably should also be a lower-prio backport if possible. not a
huge risk, but good to ensure we aren't in a bad state if auth methods
mutate the user-id between method validation.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth pluigin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  New

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From morgan.fainberg at gmail.com  Thu Jan 12 23:25:11 2017
From: morgan.fainberg at gmail.com (Morgan Fainberg)
Date: Thu, 12 Jan 2017 23:25:11 -0000
Subject: [Openstack-security] [Bug 1656076] Re: The keystone server auth
 pluigin methods could mismatch user_id in auth_context
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170112232514.13870.99851.launchpad@soybean.canonical.com>

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => Medium

** Changed in: keystone
     Assignee: (unassigned) => Morgan Fainberg (mdrnstm)

** Also affects: keystone/newton
   Importance: Undecided
       Status: New

** Also affects: keystone/mitaka
   Importance: Undecided
       Status: New

** Also affects: keystone/ocata
   Importance: Medium
     Assignee: Morgan Fainberg (mdrnstm)
       Status: Triaged

** Changed in: keystone/newton
       Status: New => Triaged

** Changed in: keystone/newton
   Importance: Undecided => Medium

** Changed in: keystone/mitaka
       Status: New => Triaged

** Changed in: keystone/mitaka
   Importance: Undecided => Medium

** Changed in: keystone/mitaka
     Assignee: (unassigned) => Morgan Fainberg (mdrnstm)

** Changed in: keystone/newton
     Assignee: (unassigned) => Morgan Fainberg (mdrnstm)

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth pluigin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  Triaged
Status in OpenStack Identity (keystone) mitaka series:
  Triaged
Status in OpenStack Identity (keystone) newton series:
  Triaged
Status in OpenStack Identity (keystone) ocata series:
  Triaged

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From 1656076 at bugs.launchpad.net  Thu Jan 12 23:49:20 2017
From: 1656076 at bugs.launchpad.net (OpenStack Infra)
Date: Thu, 12 Jan 2017 23:49:20 -0000
Subject: [Openstack-security] [Bug 1656076] Re: The keystone server auth
 pluigin methods could mismatch user_id in auth_context
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170112234920.14419.6988.malone@soybean.canonical.com>

Fix proposed to branch: master
Review: https://review.openstack.org/419693

** Changed in: keystone
       Status: Triaged => In Progress

** Changed in: keystone/newton
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth pluigin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) mitaka series:
  In Progress
Status in OpenStack Identity (keystone) newton series:
  In Progress
Status in OpenStack Identity (keystone) ocata series:
  In Progress

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From 1656076 at bugs.launchpad.net  Thu Jan 12 23:50:03 2017
From: 1656076 at bugs.launchpad.net (OpenStack Infra)
Date: Thu, 12 Jan 2017 23:50:03 -0000
Subject: [Openstack-security] [Bug 1656076] Fix proposed to keystone
	(stable/newton)
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170112235003.26927.71644.malone@chaenomeles.canonical.com>

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/419694

** Changed in: keystone/mitaka
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth pluigin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) mitaka series:
  In Progress
Status in OpenStack Identity (keystone) newton series:
  In Progress
Status in OpenStack Identity (keystone) ocata series:
  In Progress

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From 1656076 at bugs.launchpad.net  Thu Jan 12 23:50:19 2017
From: 1656076 at bugs.launchpad.net (OpenStack Infra)
Date: Thu, 12 Jan 2017 23:50:19 -0000
Subject: [Openstack-security] [Bug 1656076] Fix proposed to keystone
	(stable/mitaka)
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170112235019.27094.86731.malone@chaenomeles.canonical.com>

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/419695

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth pluigin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) mitaka series:
  In Progress
Status in OpenStack Identity (keystone) newton series:
  In Progress
Status in OpenStack Identity (keystone) ocata series:
  In Progress

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From morgan.fainberg at gmail.com  Fri Jan 13 01:05:47 2017
From: morgan.fainberg at gmail.com (Morgan Fainberg)
Date: Fri, 13 Jan 2017 01:05:47 -0000
Subject: [Openstack-security] [Bug 1656076] Re: The keystone server auth
 pluigin methods could mismatch user_id in auth_context
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170113010547.20557.63076.malone@wampee.canonical.com>

Turns out the issue comes from the test suite not using the AuthContext
object. A new patch to ensure we are using AuthContext not a dict will
be proposed in lieu of the current fix.

** Changed in: keystone/mitaka
       Status: In Progress => Invalid

** Changed in: keystone/newton
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth pluigin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) mitaka series:
  Invalid
Status in OpenStack Identity (keystone) newton series:
  Invalid
Status in OpenStack Identity (keystone) ocata series:
  In Progress

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From rodrigodsousa at gmail.com  Fri Jan 13 02:02:33 2017
From: rodrigodsousa at gmail.com (Rodrigo Duarte)
Date: Fri, 13 Jan 2017 02:02:33 -0000
Subject: [Openstack-security] [Bug 1656076] Re: The keystone server auth
 plugin methods could mismatch user_id in auth_context
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170113020234.19945.90452.launchpad@wampee.canonical.com>

** Summary changed:

- The keystone server auth pluigin methods could mismatch user_id in auth_context
+ The keystone server auth plugin methods could mismatch user_id in auth_context

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth plugin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) mitaka series:
  Invalid
Status in OpenStack Identity (keystone) newton series:
  Invalid
Status in OpenStack Identity (keystone) ocata series:
  In Progress

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From 1656076 at bugs.launchpad.net  Fri Jan 13 02:12:31 2017
From: 1656076 at bugs.launchpad.net (OpenStack Infra)
Date: Fri, 13 Jan 2017 02:12:31 -0000
Subject: [Openstack-security] [Bug 1656076] Change abandoned on keystone
	(stable/mitaka)
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170113021231.27560.33595.malone@chaenomeles.canonical.com>

Change abandoned by Morgan Fainberg (morgan.fainberg at gmail.com) on branch: stable/mitaka
Review: https://review.openstack.org/419695

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth plugin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) mitaka series:
  Invalid
Status in OpenStack Identity (keystone) newton series:
  Invalid
Status in OpenStack Identity (keystone) ocata series:
  In Progress

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From 1656076 at bugs.launchpad.net  Fri Jan 13 02:12:36 2017
From: 1656076 at bugs.launchpad.net (OpenStack Infra)
Date: Fri, 13 Jan 2017 02:12:36 -0000
Subject: [Openstack-security] [Bug 1656076] Change abandoned on keystone
	(stable/newton)
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170113021236.27094.28300.malone@chaenomeles.canonical.com>

Change abandoned by Morgan Fainberg (morgan.fainberg at gmail.com) on branch: stable/newton
Review: https://review.openstack.org/419694

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth plugin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) mitaka series:
  Invalid
Status in OpenStack Identity (keystone) newton series:
  Invalid
Status in OpenStack Identity (keystone) ocata series:
  In Progress

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From 1656076 at bugs.launchpad.net  Fri Jan 13 03:38:59 2017
From: 1656076 at bugs.launchpad.net (Steve Martinelli)
Date: Fri, 13 Jan 2017 03:38:59 -0000
Subject: [Openstack-security] [Bug 1656076] Re: The keystone server auth
 plugin methods could mismatch user_id in auth_context
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170113033902.27489.16334.launchpad@chaenomeles.canonical.com>

** Changed in: keystone/ocata
    Milestone: None => ocata-3

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth plugin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) mitaka series:
  Invalid
Status in OpenStack Identity (keystone) newton series:
  Invalid
Status in OpenStack Identity (keystone) ocata series:
  In Progress

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From 1656076 at bugs.launchpad.net  Fri Jan 13 17:29:33 2017
From: 1656076 at bugs.launchpad.net (OpenStack Infra)
Date: Fri, 13 Jan 2017 17:29:33 -0000
Subject: [Openstack-security] [Bug 1656076] Re: The keystone server auth
 plugin methods could mismatch user_id in auth_context
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170113172936.14064.31687.launchpad@soybean.canonical.com>

** Changed in: keystone
     Assignee: Morgan Fainberg (mdrnstm) => Steve Martinelli (stevemar)

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth plugin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) mitaka series:
  Invalid
Status in OpenStack Identity (keystone) newton series:
  Invalid
Status in OpenStack Identity (keystone) ocata series:
  In Progress

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From 1656076 at bugs.launchpad.net  Fri Jan 13 17:29:53 2017
From: 1656076 at bugs.launchpad.net (Steve Martinelli)
Date: Fri, 13 Jan 2017 17:29:53 -0000
Subject: [Openstack-security] [Bug 1656076] Re: The keystone server auth
 plugin methods could mismatch user_id in auth_context
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170113172955.14534.73227.launchpad@soybean.canonical.com>

** Changed in: keystone/ocata
     Assignee: Steve Martinelli (stevemar) => Morgan Fainberg (mdrnstm)

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth plugin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) mitaka series:
  Invalid
Status in OpenStack Identity (keystone) newton series:
  Invalid
Status in OpenStack Identity (keystone) ocata series:
  In Progress

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From 1656076 at bugs.launchpad.net  Sat Jan 14 10:35:27 2017
From: 1656076 at bugs.launchpad.net (OpenStack Infra)
Date: Sat, 14 Jan 2017 10:35:27 -0000
Subject: [Openstack-security] [Bug 1656076] Re: The keystone server auth
 plugin methods could mismatch user_id in auth_context
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170114103527.20059.56811.malone@wampee.canonical.com>

Reviewed:  https://review.openstack.org/419693
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0f3f08c3df0dd6c32e685dae6726e945b01ea8c7
Submitter: Jenkins
Branch:    master

commit 0f3f08c3df0dd6c32e685dae6726e945b01ea8c7
Author: Morgan Fainberg <morgan.fainberg at gmail.com>
Date:   Thu Jan 12 15:19:48 2017 -0800

    Force use of AuthContext object in .authentcate()
    
    Force the keystone.auth.controllers.Auth.authenticate method to
    require the use of an AuthContext object instead of something
    duck-typed (dictionary). This is done to ensure the security and
    integrity of IDENTITY_KEYS are covered and values are not changed
    by a plugin due to the security built into AuthContext being
    circumvented since it was not used. This is not pythonic, this
    is being done for hardening purposes.
    
    Change-Id: I013846af59587d17b15ca4cf546e6372231f576e
    Closes-Bug: #1656076


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth plugin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) mitaka series:
  Invalid
Status in OpenStack Identity (keystone) newton series:
  Invalid
Status in OpenStack Identity (keystone) ocata series:
  Fix Released

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From major at mhtx.net  Mon Jan 16 13:58:56 2017
From: major at mhtx.net (Major Hayden)
Date: Mon, 16 Jan 2017 13:58:56 -0000
Subject: [Openstack-security] [Bug 1583804] Re: Security role should require
 an email to receive root's mail
References: <20160519213008.8116.80335.malonedeb@soybean.canonical.com>
Message-ID: <20170116135856.20152.82193.malone@wampee.canonical.com>

RHEL 6 STIG content is now deprecated.

** Changed in: openstack-ansible
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1583804

Title:
  Security role should require an email to receive root's mail

Status in openstack-ansible:
  Won't Fix

Bug description:
  V-38680 requires that someone must receive root's email. There is not
  a hard requirement at the moment to set security_root_forward_email
  prior to running the security hardening role.  There should be a pre-
  flight check that ensures this value is set.

  I'd like some more input on how we can handle this without halting the
  playbook run since users might not understand that this is a required
  configuration item.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-ansible/+bug/1583804/+subscriptions



From major at mhtx.net  Mon Jan 16 13:58:34 2017
From: major at mhtx.net (Major Hayden)
Date: Mon, 16 Jan 2017 13:58:34 -0000
Subject: [Openstack-security] [Bug 1583788] Re: Security role should use
 pam_faillock for V-38501 on CentOS
References: <20160519204832.823.4874.malonedeb@chaenomeles.canonical.com>
Message-ID: <20170116135834.20965.31297.malone@gac.canonical.com>

The RHEL 6 content is being deprecated and pam_faillock is used in the
RHEL 7 STIG content.

** Changed in: openstack-ansible
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1583788

Title:
  Security role should use pam_faillock for V-38501 on CentOS

Status in openstack-ansible:
  Won't Fix

Bug description:
  Ubuntu doesn't package pam_faillock, so fail2ban was used to satisfy
  the requirements in V-38501. CentOS 7 has pam_faillock and it should
  be used on CentOS 7 to more closely align with the STIG's
  requirements.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-ansible/+bug/1583788/+subscriptions



From major at mhtx.net  Mon Jan 16 13:57:58 2017
From: major at mhtx.net (Major Hayden)
Date: Mon, 16 Jan 2017 13:57:58 -0000
Subject: [Openstack-security] [Bug 1568070] Re: Security: Identify which
	changes require a reboot
References: <20160408175640.32100.77020.malonedeb@soybean.canonical.com>
Message-ID: <20170116135801.14243.25602.launchpad@soybean.canonical.com>

** Changed in: openstack-ansible
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1568070

Title:
  Security: Identify which changes require a reboot

Status in openstack-ansible:
  Won't Fix

Bug description:
  Some changes made by openstack-ansible-security require a reboot. It
  would be nice to alert the deployer to those changes at the end of the
  playbook run so they know if they had a change made that requires a
  reboot.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-ansible/+bug/1568070/+subscriptions



From major at mhtx.net  Mon Jan 16 13:57:48 2017
From: major at mhtx.net (Major Hayden)
Date: Mon, 16 Jan 2017 13:57:48 -0000
Subject: [Openstack-security] [Bug 1568027] Re: Security: Add docs for
	monitoring logs/notifications
References: <20160408161603.3473.89222.malonedeb@gac.canonical.com>
Message-ID: <20170116135750.27406.2140.launchpad@chaenomeles.canonical.com>

** Changed in: openstack-ansible
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1568027

Title:
  Security: Add docs for monitoring logs/notifications

Status in openstack-ansible:
  Won't Fix

Bug description:
  The openstack-ansible-security docs talk about the AIDE and Auditd
  changes, but they don't talk much about what deployers should be doing
  with those notifications.  Adding some friendly advice about how to
  handle these would be very useful.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-ansible/+bug/1568027/+subscriptions



From major at mhtx.net  Mon Jan 16 14:15:18 2017
From: major at mhtx.net (Major Hayden)
Date: Mon, 16 Jan 2017 14:15:18 -0000
Subject: [Openstack-security] [Bug 1590185] Re: "V-38496 - Gather
 problematic system accounts" check fails on RHEL 7
References: <20160607232139.12031.65314.malonedeb@wampee.canonical.com>
Message-ID: <20170116141520.20557.89161.launchpad@wampee.canonical.com>

** Changed in: openstack-ansible
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1590185

Title:
  "V-38496 - Gather problematic system accounts" check fails on RHEL 7

Status in openstack-ansible:
  Invalid

Bug description:
  The check "V-38496 - Gather problematic system accounts" fails
  gloriously due to RHEL 7 not using jinja2.8 by default.  The specific
  issue is due to Jinja being 2.7 and not 2.8.

  If see the following error then you need to run "pip install Jinja2
  --upgrade":

  TASK: [openstack-ansible-security | V-38496 - Gather problematic system accounts] *** 
  fatal: [172.31.255.20] => Traceback (most recent call last):
    File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 586, in _executor
      exec_rc = self._executor_internal(host, new_stdin)
    File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 789, in _executor_internal
      return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
    File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 1013, in _executor_internal_inner
      complex_args = template.template(self.basedir, complex_args, inject, fail_on_undefined=self.error_on_undefined_vars)
    File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line 140, in template
      d[k] = template(basedir, v, templatevars, lookup_fatal, depth, expand_lists, convert_bare, fail_on_undefined, filter_fatal)
    File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line 124, in template
      varname = template_from_string(basedir, varname, templatevars, fail_on_undefined)
    File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line 382, in template_from_string
      res = jinja2.utils.concat(rf)
    File "<template>", line 11, in root
    File "/usr/lib/python2.7/site-packages/jinja2/filters.py", line 318, in do_join
      return text_type(d).join(imap(text_type, value))
    File "/usr/lib/python2.7/site-packages/jinja2/filters.py", line 931, in _select_or_reject
      if modfunc(func(transfunc(item))):
    File "/usr/lib/python2.7/site-packages/jinja2/filters.py", line 925, in <lambda>
      name, item, args, kwargs)
    File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 438, in call_test
      raise TemplateRuntimeError('no test named %r' % name)
  TemplateRuntimeError: no test named 'equalto'

To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-ansible/+bug/1590185/+subscriptions



From 1419577 at bugs.launchpad.net  Tue Jan 17 13:20:19 2017
From: 1419577 at bugs.launchpad.net (OpenStack Infra)
Date: Tue, 17 Jan 2017 13:20:19 -0000
Subject: [Openstack-security] [Bug 1419577] Re: when live-migrate failed,
 lun-id couldn't be rollback in havana
References: <20150209012956.20741.53343.malonedeb@chaenomeles.canonical.com>
Message-ID: <20170117132021.21058.9641.launchpad@gac.canonical.com>

** Changed in: nova
       Status: Confirmed => In Progress

** Changed in: nova
     Assignee: (unassigned) => Lee Yarwood (lyarwood)

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1419577

Title:
  when live-migrate failed, lun-id couldn't be rollback in havana

Status in OpenStack Compute (nova):
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Hi, guys

  When live-migrate failed with error, lun-id of connection_info column in Nova's block_deivce_mapping table couldn't be rollback.
  and failed VM can have others volume.

  my test environment is following :

  Openstack Version : Havana ( 2013.2.3)
  Compute Node OS : 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
  Compute Node multipath : multipath-tools 0.4.9-3ubuntu7.2

  test step is :

  1) create 2 Compute node (host#1 and host#2)
  2) create 1 VM on host#1 (vm01)
  3) create 1 cinder volume (vol01)
  4) attach 1 volume to vm01 (/dev/vdb)
  5) live-migrate vm01 from host#1 to host#2
  6) live-migrate success
       - please check the mapper by using multipath command in host#1 (# multipath -ll), then you can find mapper is not deleted.
         and the status of devices is "failed faulty"
       - please check the lun-id of vol01
  7) Again, live-migrate vm01 from host#2 to host#1 (vm01 was migrated to host#2 at step 4)
  8) live-migrate fail
       - please check the mapper in host#1
       - please check the lun-id of vol01, then you can find the lun hav "two" igroups
       - please check the connection_info column in Nova's block_deivce_mapping table, then you can find lun-id couldn't be rollback

  This Bug is critical security issue because the failed VM can have
  others volume.

  and every backend storage of cinder-volume can have same problem
  because this is the bug of live-migration's rollback process.

  I suggest below methods to solve issue :

  1) when live-migrate is complete, nova should delete mapper devices at origin host
  2) when live-migrate is failed, nova should rollback lun-id in connection_info column
  3) when live-migrate is failed, cinder should delete the mapping between lun and host (Netapp : igroup, EMC : storage_group ...)
  4) when volume-attach is requested , cinder volume driver of vendors should make lun-id randomly for reduce of probability of mis-mapping

  please check this bug.

  Thank you.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1419577/+subscriptions



From morgan.fainberg at gmail.com  Tue Jan 17 19:52:46 2017
From: morgan.fainberg at gmail.com (Morgan Fainberg)
Date: Tue, 17 Jan 2017 19:52:46 -0000
Subject: [Openstack-security] [Bug 1484237] Re: token revocations not always
 respected when using fernet tokens
References: <20150812185544.5991.94491.malonedeb@gac.canonical.com>
Message-ID: <20170117195246.21116.34203.malone@gac.canonical.com>

Kilo is EOL

** Changed in: keystone/kilo
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1484237

Title:
  token revocations not always respected when using fernet tokens

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) kilo series:
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  A simple test that shows that fernet tokens are not always being
  invalidated.

  Simple test steps:

  1) gets a token
  2) deletes a token
  3) tries to validate the deleted token

  When I run this in production on 10 tokens, I get about a 20% success
  rate on the token being detected as invalid, 80% of the time, keystone
  tells me the token is valid.

  I have validated that the token is showing in the revocation event
  table.

  I've tried a 5 second delay between the calls which did not change the
  behavior.

  My current script (below) will look for 204 and 404 to show failure
  and will wait forever. I've let it wait over 5 minutes, it seems to me
  that either keystone knows immediately that the token is invalid or
  not at all.

  I do not have memcache enabled on these nodes.

  The same test has a 100% pass rate with UUID tokens.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1484237/+subscriptions



From fungi at yuggoth.org  Tue Jan 17 20:19:05 2017
From: fungi at yuggoth.org (Jeremy Stanley)
Date: Tue, 17 Jan 2017 20:19:05 -0000
Subject: [Openstack-security] [Bug 1656435] Re: XSS in noVNC
References: <20170113222305.13899.72212.malonedeb@soybean.canonical.com>
Message-ID: <20170117201905.14501.74329.malone@soybean.canonical.com>

Switched to public as discussed. Thanks for the heads up on this one,
David!

** Information type changed from Private Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656435

Title:
  XSS in noVNC

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Invalid

Bug description:
  I recently reported an XSS bug in noVNC, which has since been fixed in
  0.6.2: https://github.com/novnc/noVNC/issues/748.

  Depending on how OpenStack pulls in the noVNC viewer, it might be
  worth a security note or release.

  Vulnerability Summary:

  It's possible to set up a malicious noVNC server, then send someone a
  URL like http://GOOD_NOVNC/vnc_auto.html?host=BAD_NOVNC. The good noVNC
  will use a WebSocket to connect to the malicious one, then display a
  status message that runs JavaScript in the user's browser.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1656435/+subscriptions



From 1613901 at bugs.launchpad.net  Wed Jan 18 05:10:28 2017
From: 1613901 at bugs.launchpad.net (Steve Martinelli)
Date: Wed, 18 Jan 2017 05:10:28 -0000
Subject: [Openstack-security] [Bug 1613901] Re: String "..%c0%af" causes 500
 errors in multiple locations
References: <20160816233137.14656.30722.malonedeb@soybean.canonical.com>
Message-ID: <20170118051033.27020.31330.launchpad@chaenomeles.canonical.com>

** Changed in: keystone
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1613901

Title:
  String "..%c0%af" causes 500 errors in multiple locations

Status in Cinder:
  Incomplete
Status in Glance:
  New
Status in OpenStack Identity (keystone):
  Won't Fix
Status in neutron:
  Incomplete
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:

  While doing some testing on Keystone using Syntribos
  (https://github.com/openstack/syntribos), our team (myself, Michael
  Dong, Rahul U Nair, Vinay Potluri, Aastha Dixit, and Khanak Nangia)
  noticed that we got 500 status codes when the string "..%c0%af" was
  inserted in various places in the URL for different types of requests.

  Here are some examples:

  =========

  DELETE /v3/policies/..%c0%af HTTP/1.1
  Host: [REDACTED]:5000
  Connection: close
  Accept-Encoding: gzip, deflate
  Accept: application/json
  User-Agent: python-requests/2.11.0
  X-Auth-Token: [REDACTED]
  Content-Length: 0

  HTTP/1.1 500 Internal Server Error
  Date: Tue, 16 Aug 2016 22:04:27 GMT
  Server: Apache/2.4.7 (Ubuntu)
  Vary: X-Auth-Token
  X-Distribution: Ubuntu
  x-openstack-request-id: req-238fd5a9-be45-41f2-893a-97b513b27af3
  Content-Length: 143
  Connection: close
  Content-Type: application/json

  {"error": {"message": "An unexpected error prevented the server from
  fulfilling your request.", "code": 500, "title": "Internal Server
  Error"}}

  =========

  PATCH /v3/policies/..%c0%af HTTP/1.1
  Host: [REDACTED]:5000
  Connection: close
  Accept-Encoding: gzip, deflate
  Accept: application/json
  User-Agent: python-requests/2.11.0
  Content-type: application/json
  X-Auth-Token: [REDACTED]
  Content-Length: 70

  {"type": "--serialization-mime-type--", "blob": "--serialized-blob--"}

  HTTP/1.1 500 Internal Server Error
  Date: Tue, 16 Aug 2016 22:05:36 GMT
  Server: Apache/2.4.7 (Ubuntu)
  Vary: X-Auth-Token
  X-Distribution: Ubuntu
  x-openstack-request-id: req-57a41600-02b4-4d2a-b3e9-40f7724d65f2
  Content-Length: 143
  Connection: close
  Content-Type: application/json

  {"error": {"message": "An unexpected error prevented the server from
  fulfilling your request.", "code": 500, "title": "Internal Server
  Error"}}

  =========

  GET /v3/domains/0426ac1e48f642ef9544c2251e07e261/groups/..%c0%af/roles HTTP/1.1
  Host: [REDACTED]:5000
  Connection: close
  Accept-Encoding: gzip, deflate
  Accept: application/json
  User-Agent: python-requests/2.11.0
  X-Auth-Token: [REDACTED]

  HTTP/1.1 500 Internal Server Error
  Date: Tue, 16 Aug 2016 22:07:09 GMT
  Server: Apache/2.4.7 (Ubuntu)
  Vary: X-Auth-Token
  X-Distribution: Ubuntu
  x-openstack-request-id: req-02313f77-63c6-4aa8-a87e-e3d2a13ad6b7
  Content-Length: 143
  Connection: close
  Content-Type: application/json

  {"error": {"message": "An unexpected error prevented the server from
  fulfilling your request.", "code": 500, "title": "Internal Server
  Error"}}

  =========

  I've marked this as a security issue as a precaution in case it turns
  out that there is a more serious vulnerability underlying these
  errors. We have no reason to suspect that there is a greater
  vulnerability at this time, but given the many endpoints this seems to
  affect, I figured caution was worthwhile since this may be a
  framework-wide issue. Feel free to make this public if it is
  determined not to be security-impacting.

  Here is a (possibly incomplete) list of affected endpoints. Inserting
  the string "..%c0%af" in any or all of the spots labeled "HERE" should
  yield a 500 error. As you can see, virtually all v3 endpoints exhibit
  this behavior.

  =========

  [GET|PATCH|DELETE] /v3/endpoints/[HERE]

  [GET|PATCH]       /v3/domains/[HERE]
  GET               /v3/domains/[HERE]/groups/[HERE]/roles
  [HEAD|PUT|DELETE] /v3/domains/[HERE]/groups/[HERE]/roles/[HERE]
  GET               /v3/domains/[HERE]/users/[HERE]/roles
  [HEAD|DELETE]     /v3/domains/[HERE]/users/[HERE]/roles/[HERE]

  [GET|PATCH|DELETE] /v3/groups/[HERE]
  [HEAD|PUT|DELETE]  /v3/groups[HERE]/users/[HERE]

  [POST|DELETE] /v3/keys/[HERE]

  [GET|PATCH|DELETE] /v3/policies/[HERE]
  [GET|PUT|DELETE]   /v3/policies/[HERE]/OS-ENDPOINT-POLICY/endpoints/[HERE]
  [GET|HEAD]         /v3/policies/[HERE]/OS-ENDPOINT-POLICY/policy
  [GET|PUT|DELETE]   /v3/policies/[HERE]/OS-ENDPOINT-POLICY/services/[HERE]
  [PUT|DELETE]       /v3/policies/[HERE]/OS-ENDPOINT-POLICY/services/[HERE]
  [GET|PUT|DELETE]   /v3/policies/[HERE]/OS-ENDPOINT-POLICY/services/regions/[HERE]

  [GET|PATCH|DELETE] /v3/projects/[HERE]
  [DELETE|PATCH]     /v3/projects/[HERE]/cascade
  GET                /v3/projects/[HERE]/groups/[HERE]/roles
  GET                /v3/projects/[HERE]/users/[HERE]/roles
  [HEAD|PUT|DELETE]  /v3/projects/[HERE]/groups/[HERE]/roles/[HERE]

  [GET|PATCH|DELETE] /v3/regions/[HERE]

  [PATCH|DELETE] /v3/roles/[HERE]

  [GET|PATCH|DELETE] /v3/services/[HERE]

  [GET|PATCH|DELETE] /v3/users/[HERE]
  GET /v3/users/[HERE]/groups
  POST /v3/users/[HERE]/password
  GET /v3/users/[HERE]/projects

  GET                /v3/OS-OAUTH1/users/[HERE]/access_tokens/[HERE]/roles/[HERE]
  [GET|PATCH|DELETE] /v3/OS-OAUTH1/consumers/[HERE]
  [GET|DELETE]       /v3/OS-OAUTH1/users/[HERE]/access_tokens/[HERE]

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1613901/+subscriptions



From tdecacqu at redhat.com  Wed Jan 18 10:37:57 2017
From: tdecacqu at redhat.com (Tristan Cacqueray)
Date: Wed, 18 Jan 2017 10:37:57 -0000
Subject: [Openstack-security] [Bug 1572719] Re: Client may hold socket open
	after ChunkWriteTimeout
References: <20160420203849.17438.29709.malonedeb@soybean.canonical.com>
Message-ID: <20170118103757.26958.13705.malone@chaenomeles.canonical.com>

Having another look at that issue, it sounds like slow client shouldn't
be handled by OpenStack services but rather with a load balancer,
especially if the service is Internet facing.

I initially thought the problem would happen between the proxy and the
object server even after the client got disconnected, but this is not
the case since all the sockets are effectively released when the client
is disconnected.

Since there is already a Security Note in the process to cover load
balancers usage in front of OpenStack service, I suggest we close the
ossa task and triage this report as a class D according to the VMT
taxonomy ( https://security.openstack.org/vmt-process.html#incident-
report-taxonomy )

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1572719

Title:
  Client may hold socket open after ChunkWriteTimeout

Status in OpenStack Security Advisory:
  Incomplete
Status in OpenStack Object Storage (swift):
  Confirmed

Bug description:
  You can reproduce this by issuing a GET request for a few hundred MB
  file and never consuming the response, but keep the client socket
  open. Swift will log a 499 but the socket does not always close.

  ChunkWriteTimeout is meant to protect the proxy from a slow reading client:
    https://github.com/openstack/swift/blob/master/swift/proxy/controllers/base.py#L889-L905

  Sometimes when this exception is thrown there is still data in the process socket buffer, so when eventlet tries to close the socket it first flushes it:
    https://github.com/eventlet/eventlet/blob/master/eventlet/wsgi.py#L631
    https://hg.python.org/cpython/file/v2.7.11/Lib/SocketServer.py#l711

  The problem is that if the client is not consuming the socket buffer
  then that flush will wait forever; it's trying to write on a socket
  that just threw a timeout trying to write! The flush write is not
  protected by any timeout.

  As far as I can tell, this WRITE_TIMEOUT does nothing:
    https://github.com/openstack/swift/blob/master/swift/common/wsgi.py#L407

  wsgi.server() takes a socket_timeout that might be what we're after?
    https://github.com/openstack/swift/blob/master/swift/common/wsgi.py#L437-L440

  Even with socket_timeout, eventlet needs to be patched. This should be in a finally block:
    https://github.com/eventlet/eventlet/blob/master/eventlet/wsgi.py#L636-L637

  All of this is probably mitigated by most operators setting an idle
  timeout in their load balancers, but I wanted to report it. Going
  directly to a proxy I was able to hold sockets open for long periods
  of time.

  I did the initial research on version 2.2.2 but I was able to
  reproduce on 2.7.0. I'm trying to translate links to master branch on
  github. I apologize in advance if it's not quite right.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1572719/+subscriptions



From fungi at yuggoth.org  Wed Jan 18 16:14:27 2017
From: fungi at yuggoth.org (Jeremy Stanley)
Date: Wed, 18 Jan 2017 16:14:27 -0000
Subject: [Openstack-security] [Bug 1572719] Re: Client may hold socket open
	after ChunkWriteTimeout
References: <20160420203849.17438.29709.malonedeb@soybean.canonical.com>
Message-ID: <20170118161427.20557.62971.malone@wampee.canonical.com>

I agree with this being class D (security hardening opportunity). Since
the report is already public, we can just go ahead and switch the
security advisory task to won't fix, then change it back later if there
are objections. I've done so now.

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1572719

Title:
  Client may hold socket open after ChunkWriteTimeout

Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Object Storage (swift):
  Confirmed

Bug description:
  You can reproduce this by issuing a GET request for a few hundred MB
  file and never consuming the response, but keep the client socket
  open. Swift will log a 499 but the socket does not always close.

  ChunkWriteTimeout is meant to protect the proxy from a slow reading client:
    https://github.com/openstack/swift/blob/master/swift/proxy/controllers/base.py#L889-L905

  Sometimes when this exception is thrown there is still data in the process socket buffer, so when eventlet tries to close the socket it first flushes it:
    https://github.com/eventlet/eventlet/blob/master/eventlet/wsgi.py#L631
    https://hg.python.org/cpython/file/v2.7.11/Lib/SocketServer.py#l711

  The problem is that if the client is not consuming the socket buffer
  then that flush will wait forever; it's trying to write on a socket
  that just threw a timeout trying to write! The flush write is not
  protected by any timeout.

  As far as I can tell, this WRITE_TIMEOUT does nothing:
    https://github.com/openstack/swift/blob/master/swift/common/wsgi.py#L407

  wsgi.server() takes a socket_timeout that might be what we're after?
    https://github.com/openstack/swift/blob/master/swift/common/wsgi.py#L437-L440

  Even with socket_timeout, eventlet needs to be patched. This should be in a finally block:
    https://github.com/eventlet/eventlet/blob/master/eventlet/wsgi.py#L636-L637

  All of this is probably mitigated by most operators setting an idle
  timeout in their load balancers, but I wanted to report it. Going
  directly to a proxy I was able to hold sockets open for long periods
  of time.

  I did the initial research on version 2.2.2 but I was able to
  reproduce on 2.7.0. I'm trying to translate links to master branch on
  github. I apologize in advance if it's not quite right.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1572719/+subscriptions



From fungi at yuggoth.org  Wed Jan 18 16:26:39 2017
From: fungi at yuggoth.org (Jeremy Stanley)
Date: Wed, 18 Jan 2017 16:26:39 -0000
Subject: [Openstack-security] [Bug 1649634] Re: Insecure Randomness for AES
	Passphrase Generation
References: <20161213164942.27372.15759.malonedeb@chaenomeles.canonical.com>
Message-ID: <20170118162640.20707.48866.launchpad@wampee.canonical.com>

** Information type changed from Public Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1649634

Title:
  Insecure Randomness for AES Passphrase Generation

Status in Cinder:
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  In cinder/volume/drivers/synology/synology_common.py:176 in function
  _random_AES_passpharse() (sic) randint is used to generate an index
  that is used to select which character is added to the AES key.
  However, this is insecure and is stated in the Python documentation
  where they write "The pseudo-random generators of this module should
  not be used for security purposes."

  They recommend instead using os.urandom() or SystemRandom if a
  cryptographically secure prng is required.

  The proposed fix would be to simply be to use SystemRandom as it has
  all of the same functions from random implemented and does not require
  any new libraries.

  Another option is to use the Crypto library which is already imported
  in the file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1649634/+subscriptions



From tdecacqu at redhat.com  Fri Jan 20 01:03:45 2017
From: tdecacqu at redhat.com (Tristan Cacqueray)
Date: Fri, 20 Jan 2017 01:03:45 -0000
Subject: [Openstack-security] [Bug 1563954] Re: use_forwarded_for exposes
	metadata
References: <20160330160317.3139.18707.malonedeb@chaenomeles.canonical.com>
Message-ID: <20170120010347.20674.33131.launchpad@wampee.canonical.com>

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
- --
- 
  The nova metadata service uses the remote address to determine which
  metadata to retrieve. In order to work behind a proxy there is an option
  use_forwarded_for which will use the X-Forwarded-For header to determine
  the remote IP.
  
  If this option is set then anyone who can access the metadata port can
  request metadata for any instance if they know the IP.
  
  The user data is also exposed.
  
  $ echo 123456 > /tmp/data
  $ openstack server create --image CentOS7 --flavor fedora --user-data /tmp/data test
  <wait>
  $ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/user-data/
  123456
  
  At a minimum this side-effect isn't documented anywhere I could find.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1563954

Title:
  use_forwarded_for exposes metadata

Status in OpenStack Compute (nova):
  Confirmed
Status in OpenStack Security Advisory:
  Opinion
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  The nova metadata service uses the remote address to determine which
  metadata to retrieve. In order to work behind a proxy there is an
  option use_forwarded_for which will use the X-Forwarded-For header to
  determine the remote IP.

  If this option is set then anyone who can access the metadata port can
  request metadata for any instance if they know the IP.

  The user data is also exposed.

  $ echo 123456 > /tmp/data
  $ openstack server create --image CentOS7 --flavor fedora --user-data /tmp/data test
  <wait>
  $ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/user-data/
  123456

  At a minimum this side-effect isn't documented anywhere I could find.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1563954/+subscriptions



From 1649446 at bugs.launchpad.net  Sat Jan 21 05:44:40 2017
From: 1649446 at bugs.launchpad.net (Steve Martinelli)
Date: Sat, 21 Jan 2017 05:44:40 -0000
Subject: [Openstack-security] [Bug 1649446] Re: Non-Admin Access to
	Revocation Events
References: <20161213023643.29317.10154.malonedeb@wampee.canonical.com>
Message-ID: <20170121054442.20457.44797.launchpad@wampee.canonical.com>

** Changed in: keystone
   Importance: Undecided => High

** Changed in: keystone
    Milestone: None => ocata-3

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1649446

Title:
  Non-Admin Access to Revocation Events

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  With the default Keystone policy any authed user can list all revocation events for the cluster:
  https://github.com/openstack/keystone/blob/master/etc/policy.json#L179

  This can be done by directly calling the API as such:
  curl -g -i -X GET http://localhost/identity/v3/OS-REVOKE/events -H "Accept: application/json" -H "X-Auth-Token: <non_admin_token_goes_here>"

  and this will provide you with a normal revocation event list (see
  attachment).

  This will allow a user to over time collect a list of user_ids and
  project_ids. The project_ids aren't particularly useful, but the
  user_ids can be used to lock people of of their accounts. Or if rate
  limiting is not setup (a bad idea), or somehow bypassed, would allow
  someone to brute force access to those ids.

  Knowing the ids is no worse than knowing the usernames, but as a non-
  admin you shouldn't have access to such a list anyway.

  It is also worth noting that OpenStack policy files are rife with
  these blank policy rules, not just Keystone. Some are safe and
  intended to be accessible by any authed user, others are checked at
  the code layer, but there may be other rules that are unsafe to expose
  to any authed user and as such should actually default to
  "rule:admin_required" or something other than blank.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1649446/+subscriptions



From 1656076 at bugs.launchpad.net  Thu Jan 26 16:53:05 2017
From: 1656076 at bugs.launchpad.net (OpenStack Infra)
Date: Thu, 26 Jan 2017 16:53:05 -0000
Subject: [Openstack-security] [Bug 1656076] Fix included in
	openstack/keystone 11.0.0.0b3
References: <20170112191639.20325.60983.malonedeb@wampee.canonical.com>
Message-ID: <20170126165305.8713.75744.malone@gac.canonical.com>

This issue was fixed in the openstack/keystone 11.0.0.0b3 development
milestone.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth plugin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) mitaka series:
  Invalid
Status in OpenStack Identity (keystone) newton series:
  Invalid
Status in OpenStack Identity (keystone) ocata series:
  Fix Released

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions



From 1649446 at bugs.launchpad.net  Thu Jan 26 16:53:15 2017
From: 1649446 at bugs.launchpad.net (OpenStack Infra)
Date: Thu, 26 Jan 2017 16:53:15 -0000
Subject: [Openstack-security] [Bug 1649446] Fix included in
	openstack/keystone 11.0.0.0b3
References: <20161213023643.29317.10154.malonedeb@wampee.canonical.com>
Message-ID: <20170126165315.9076.45909.malone@gac.canonical.com>

This issue was fixed in the openstack/keystone 11.0.0.0b3 development
milestone.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1649446

Title:
  Non-Admin Access to Revocation Events

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  With the default Keystone policy any authed user can list all revocation events for the cluster:
  https://github.com/openstack/keystone/blob/master/etc/policy.json#L179

  This can be done by directly calling the API as such:
  curl -g -i -X GET http://localhost/identity/v3/OS-REVOKE/events -H "Accept: application/json" -H "X-Auth-Token: <non_admin_token_goes_here>"

  and this will provide you with a normal revocation event list (see
  attachment).

  This will allow a user to over time collect a list of user_ids and
  project_ids. The project_ids aren't particularly useful, but the
  user_ids can be used to lock people of of their accounts. Or if rate
  limiting is not setup (a bad idea), or somehow bypassed, would allow
  someone to brute force access to those ids.

  Knowing the ids is no worse than knowing the usernames, but as a non-
  admin you shouldn't have access to such a list anyway.

  It is also worth noting that OpenStack policy files are rife with
  these blank policy rules, not just Keystone. Some are safe and
  intended to be accessible by any authed user, others are checked at
  the code layer, but there may be other rules that are unsafe to expose
  to any authed user and as such should actually default to
  "rule:admin_required" or something other than blank.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1649446/+subscriptions



From fungi at yuggoth.org  Thu Jan 26 19:49:29 2017
From: fungi at yuggoth.org (Jeremy Stanley)
Date: Thu, 26 Jan 2017 19:49:29 -0000
Subject: [Openstack-security] [Bug 1606495] Re: copy_from in api v1 allows
	network port scan
References: <20160726093308.5782.75451.malonedeb@chaenomeles.canonical.com>
Message-ID: <20170126194930.17083.76997.malone@chaenomeles.canonical.com>

Opening as agreed.

** Information type changed from Private Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1606495

Title:
  copy_from in api v1 allows network port scan

Status in Glance:
  New
Status in OpenStack Security Advisory:
  Opinion
Status in OpenStack Security Notes:
  New

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.


  copy_from allows to create Images with an url like http://localhost:22
  The remote content gets copied unverified in the defined glance store.

  E.g. after downloading the image with copy_from url
  http://localhost:22, you see the OpenSSH banner.

  This is a security issue, as it allows users to do network "scans" for
  open ports and it copies remote (potentially malicious) content
  unverified to your configured glance store.

  glance api v1 is still the default in horizon.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1606495/+subscriptions



From sigmavirus24 at gmail.com  Fri Jan 27 19:40:05 2017
From: sigmavirus24 at gmail.com (Ian Cordasco)
Date: Fri, 27 Jan 2017 19:40:05 -0000
Subject: [Openstack-security] [Bug 1100220] Re: Swift+Glance stops working
 after changing service password
References: <20130116103855.7967.49763.malonedeb@soybean.canonical.com>
Message-ID: <20170127194005.8777.89964.malone@gac.canonical.com>

@Brian, perhaps we should do this in Pike instead. ;-)

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1100220

Title:
  Swift+Glance stops working after changing service password

Status in glance_store:
  Confirmed
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Hello!

  We have some trouble with glance+swift storage.

  After changing password for account, used for Keystone authentication
  in Glance and Swift, glance stops working with errors 500
  (HTTPInternalServerError) and 401 (HTTPUnauthorized).

  I investigated this issue and found that Glance stores image or
  snapshot location in database (mysql or sqlite) with _full_ swift URI
  with login and password.

  Example:
  swift+http://admin%3Aadmin:%PASSWORD%@%HOST%:5000/v2.0/glance/357a3fe7-313c-411c-b0b2-bcd6491d12a1

  When we changed password in Keystone, this credentials are outdated
  BUT Glance STILL USE IT for authenticating in Swift, ignoring glance-
  api.conf and glance-api-paste. In result, we got HTTP500 error in
  reply to any request to glance (like glance image-download) and
  HTTP401 error in glance-api.log

  I can find only one method to workaround this - I manually changed
  this credentials in MySQL. In our situation (5 images) this way is
  idiotic, but real. But what if we have 500 or 5000 images and
  snapshots?

  I think, glance MUST have any method to change credentials without
  manual changing thousands of DB records.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance-store/+bug/1100220/+subscriptions