[Openstack-security] [Bug 1850274] Re: Updating any neutron quota for non-existent project works

Jeremy Stanley fungi at yuggoth.org
Thu Oct 31 12:44:13 UTC 2019 

Thanks for the feedback everyone, I've switched this to a regular public
bug and set the security advisory task to won't fix, treating it as a
class D report (hardening opportunity) per the OpenStack VMT's report
taxonomy: https://security.openstack.org/vmt-process.html#incident-
report-taxonomy

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  When we try to update a neutron quota for a non-existent project, we get
  a 200ok response. The non-existent project doesn't get created, but am
  entry for this project in the quotas table of neutron is made.
  
   PUT network/v2.0/quotas/<non-existent proj-id>
  
  Looks like project validation check is missing in the neutron quota
  update flow.
  
  Due to this flaw, multiple PUT calls on fake project ids might result in
  filling of quota tables very fast & can be considered a type of DOS
  attack.

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Information type changed from Private Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1850274

Title:
  Updating any neutron quota for non-existent project works

Status in neutron:
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  When we try to update a neutron quota for a non-existent project, we
  get a 200ok response. The non-existent project doesn't get created,
  but am entry for this project in the quotas table of neutron is made.

   PUT network/v2.0/quotas/<non-existent proj-id>

  Looks like project validation check is missing in the neutron quota
  update flow.

  Due to this flaw, multiple PUT calls on fake project ids might result
  in filling of quota tables very fast & can be considered a type of DOS
  attack.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1850274/+subscriptions

More information about the Openstack-security mailing list