[Openstack-security] [Bug 1850273] Re: Updating any cinder quota for non-existent project works

Jeremy Stanley fungi at yuggoth.org
Tue Oct 29 15:27:17 UTC 2019 

Thanks for the input everyone, from the OpenStack VMT's perspective
we'll treat this as a class D report (security hardening opportunity)
and not need an advisory. I've ended the embargo and switched the bug to
public.

https://security.openstack.org/vmt-process.html#incident-report-taxonomy

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  When we try to update a cinder quota for a non-existent project, we get
  a 200ok response. The non-existent project doesn't get created, but am
  entry for this project in the quotas table of cinder is made.
  
   PUT /volume/v3/<proj-id>/os-quota-sets/<non-existent proj-id>
  
  Looks like project validation check is missing in the cinder quota
  update flow.
  
  Due to this flaw, multiple PUT calls on fake project ids might result in
  filling of quota tables very fast & can be considered a type of DOS
  attack.

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Information type changed from Private Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1850273

Title:
  Updating any cinder quota for non-existent project works

Status in Cinder:
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  When we try to update a cinder quota for a non-existent project, we
  get a 200ok response. The non-existent project doesn't get created,
  but am entry for this project in the quotas table of cinder is made.

   PUT /volume/v3/<proj-id>/os-quota-sets/<non-existent proj-id>

  Looks like project validation check is missing in the cinder quota
  update flow.

  Due to this flaw, multiple PUT calls on fake project ids might result
  in filling of quota tables very fast & can be considered a type of DOS
  attack.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1850273/+subscriptions

More information about the Openstack-security mailing list