- OpenStack-announce - lists.openstack.org

OpenStack Ussuri is officially released!
by Sean McGinnis 13 May '20

13 May '20

Hello OpenStack community, I'm excited to announce the final releases for the components of OpenStack Ussuri, which concludes the Ussuri development cycle. You will find a complete list of all components, their latest versions, and links to individual project release notes documents listed on the new release site. https://releases.openstack.org/ussuri/ Congratulations to all of the teams who have contributed to this release! Our next production cycle, Victoria, has already started. We will virtually meet June 1-5, 2020, for the Victoria Project Teams Gathering. More details can be found on the PTG site: https://www.openstack.org/ptg Thanks, Sean McGinnis and the Release Management team

1 0

[OSSA-2020-005] Keystone: OAuth1 request token authorize silently ignores roles parameter (CVE PENDING)
by Gage Hugo 07 May '20

07 May '20

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================== OSSA-2020-005: OAuth1 request token authorize silently ignores roles parameter ============================================================================== :Date: May 06, 2020 :CVE: Pending Affects ~~~~~~~ - - Keystone: <15.0.1, ==16.0.0 Description ~~~~~~~~~~~ kay reported a vulnerability in Keystone's OAuth1 Token API. The list of roles provided for an OAuth1 access token are ignored, so when an OAuth1 access token is used to request a keystone token, the keystone token will contain every role assignment the creator had for the project instead of the provided subset of roles. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. Patches ~~~~~~~ - - https://review.opendev.org/725894 (Rocky) - - https://review.opendev.org/725892 (Stein) - - https://review.opendev.org/725890 (Train) - - https://review.opendev.org/725887 (Ussuri) - - https://review.opendev.org/725885 (Victoria) Credits ~~~~~~~ - - kay (CVE Pending) References ~~~~~~~~~~ - - https://launchpad.net/bugs/1873290 - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending Notes ~~~~~ - - The stable/rocky branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zFWsACgkQ56j9K3b+ vRFDnhAArgXdQUnCyckPQciBvxMxQvqhCEhzGH0aQNAmMLaImYUwFhFVVO0DlcNb kt/ynLQLdyi3YnCz1x4VhUXaCh4Rhi9pYkU4LKa/tvJj6anrCSLHmuDD52idkZeB sFslgkh/BGfdM4HcuPLhs4SSaZpI53ASitiOhyjBIN/DmpLUbZgmJ1iz3FfQ3cTB wtjYI4jGCCMq+4POSozWMzeYdL3JzR264jBCRrCw1ErIPjpF4KSOFaH5vqakBnzw Ot7KR7s7FmIwU7LhCuvjgLW3rxwE1g5bz+Qd/97rC1bTx/iPHklQjMP5SoGwmjta Kx1prUaQqFys5Bw93e0cj1Fwn0zNHUjqLs4LZscNbyGRyAZCPREeg2quwBxVUNk9 D6jxW3J2LYIu+ictVV5fnBQd4/+NtxM8ofLDM03QZouUpkNfCHAmW81BYqd2+Pii VbJi5Litz+DHLrAyh0O4zD/PBc5+5zxB2EXEDVEJitqaxQWfogJwJzGe89ULom0I VXMuYOvqaLV9f2JIG6SEBiKrfaUhSgoHTrmznt82KOlsOBMamQUaj5iTqDoDzPD2 LVB2WLABj1cFZsnTFAec1qKwEPXuT0p3Dsb7eyvwsq5aJYS5I2bjK6Q1WcCcqzJF 1b+v0iqW0Qu+Hk4fwvcrqqQMDZ7Q982tT+B7sU8xV4jYBtFLseQ= =iEFE -----END PGP SIGNATURE-----

1 1

[OSSA-2020-004] Keystone: Keystone credential endpoints allow owner modification and are not protected from a scoped context (CVE PENDING)
by Gage Hugo 07 May '20

07 May '20

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ================================================================================================================= OSSA-2020-004: Keystone credential endpoints allow owner modification and are not protected from a scoped context ================================================================================================================= :Date: May 06, 2020 :CVE: Pending Affects ~~~~~~~ - - Keystone: <15.0.1, ==16.0.0 Description ~~~~~~~~~~~ kay reported two vulnerabilities in keystone's EC2 credentials API. Any authenticated user could create an EC2 credential for themselves for a project that they have a specified role on, then perform an update to the credential user and project, allowing them to masquerade as another user. (CVE #1 PENDING) Any authenticated user within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. (CVE #2 PENDING) Both of these vulnerabilities potentially allow a malicious user to act as admin on a project that another user has the admin role on, which can effectively grant the malicious user global admin privileges. Patches ~~~~~~~ - - https://review.opendev.org/725895 (Rocky) - - https://review.opendev.org/725893 (Stein) - - https://review.opendev.org/725891 (Train) - - https://review.opendev.org/725888 (Ussuri) - - https://review.opendev.org/725886 (Victoria) Credits ~~~~~~~ - - kay (CVE Pending) References ~~~~~~~~~~ - - https://launchpad.net/bugs/1872733 - - https://launchpad.net/bugs/1872735 - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending Notes ~~~~~ - - The stable/rocky branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zE70ACgkQ56j9K3b+ vREQsBAAnHZLyrbjSwu7/CEdDVfb0sQZfDvyuXMttzouXQ6ZwEgLFKzc/aFWMjru loyst9jAx2pJzvxDfMYO11oU0M5tYFCFxhKsVvu+3ggbcNHeov1s25bPkxE7A2j7 IYJj9b+bbieYVj1ru3FJjDl3iTae4K73DeHNBCdxTSeahJZdya7hiboA1VJFt4p7 fNqU3+szsYt/vwspPBi7x+xnZszIMaUw8tVgxzB4KVD6YXbDR9Mp7itH77kGdn8l e3OpnURvfaIkPbK6fqE6jjwjQEL/6+Ahffaf4KqvsdjbAcdQRpK0UQrBX+n6DIWd TRwV/W7bEy64HrC16W78fcBlegRmEUUM4xNmdll3lwUS5KqfEeM3vXU4Ksfe9tQ2 8fDU1hDALcC55+2CMMrdFfmX/MBSTz0HVmP4snaGuoXBL/iQz22OmekFKC1tmXxb +vAtOUBsdzphRZn9KWvPIHOFGeuepWb9W0eN594JT2pdHfniLj6EaPrBaN63l7M/ pu0DTPygN5IdUXv6v/vquQZp50CaN59okmXDNiFkBeHsfaAqhdyjJjRaYvyU62OA apjVam8/f2HM0RC0vvpIqv0z0kU55NPCo61dlMZPg6U9JiQd2PzBqvEtDF1lyByF vz5e+r9fmtRcgCJIYr0Z7VlOlSMONpITN03oICaexieDTEXDXHc= =lSDG -----END PGP SIGNATURE-----

1 1

[OSSA-2020-003] Keystone: Keystone does not check signature TTL of the EC2 credential auth method (CVE PENDING)
by Gage Hugo 07 May '20

07 May '20

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ====================================================================================== OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential auth method ====================================================================================== :Date: May 06, 2020 :CVE: Pending Affects ~~~~~~~ - - Keystone: <15.0.1, ==16.0.0 Description ~~~~~~~~~~~ kay reported a vulnerability with keystone's EC2 API. Keystone doesn't have a signature TTL check for AWS signature V4 and an attacker can sniff the auth header, then use it to reissue an openstack token an unlimited number of times. Patches ~~~~~~~ - - https://review.opendev.org/725385 (Rocky) - - https://review.opendev.org/725069 (Stein) - - https://review.opendev.org/724954 (Train) - - https://review.opendev.org/724746 (Ussuri) - - https://review.opendev.org/724124 (Victoria) Credits ~~~~~~~ - - kay (CVE Pending) References ~~~~~~~~~~ - - https://launchpad.net/bugs/1872737 - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending Notes ~~~~~ - - The stable/rocky branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zEjwACgkQ56j9K3b+ vRFejhAAvzq3MBwKGXIKsJxQmwVS0RxVFifTAfnKIjBGskG3knWkQHopY0IcmwoZ 3Kv2AnRgFVBuQpZ0t9Y3S3U7KRI63FT+kzA3gy9sB+h7rdqzquxejXvljRMGJlex WRCOQwRP4prFpzpUqzBg9/bIAyWpkrjJIvz7iJ9U3z6MbrZIjV+YEZ3JIRQTdMUj MajgwJ4EDynkh8trm63n7Gyuvq8ukj1FCrG1APWJi96HhwNz6XwiqXIWci4CTaEW sY9v8luETMCyv+nY2pt9IF8wXOaJKJXPTilf6sisjN2zDq+UWgsxEC0sp3h09tnZ m6cy3OvUQeDmdJVQ/VNsfUTeRYRvYri2u44FaOUBjsNxeZca1U4MCVkAiN9BBzkg k1Xb8zgGoXaytT/lzzyr67h6ZghKm6cnSUktWnX56847byOMPi/g9q1cu0edUwwC 7SDaQ08JbsEstiXtPVBhatTLxbjlNy5eql6NaZmFQatYJAQKZsasvwV4YBv290mu OsVHUEqjmYk4b4CZNPQC2681CDtAQpiLuasYiLnxC6I+zBTwfP+6tzP0xVHW4woi 4Jhl/watZMudrtMS3YoOmwZ4iFNJRzQcDWmiAr0CZiC0NGamLjvHWHRslnvmhy92 kSGWLilaMD5vBODXVY82lQHrbl96dPRbpe8/z29sALsEs6aNFYk= =qyBV -----END PGP SIGNATURE-----

1 1

[OSSA-2020-002] Manila: Unprivileged users can retrieve, use and manipulate share networks (CVE-2020-9543)
by Goutham Pacha Ravi 11 Mar '20

11 Mar '20

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ================================================================================= OSSA-2020-002: Unprivileged users can retrieve, use and manipulate share networks ================================================================================= :Date: March 10, 2020 :CVE: CVE-2020-9543 Affects ~~~~~~~ - - Manila: <7.4.1, >=8.0.0 <8.1.1, >=9.0.0 <9.1.1 Description ~~~~~~~~~~~ Tobias Rydberg from City Network Hosting AB reported a vulnerability with the manila's share network APIs. An attacker can retrieve and manipulate share networks that do not belong to them if they possess the share network ID. By exploiting this vulnerability, they can view and manipulate share network subnets and use the share network to create resources such as shares and share groups. Patches ~~~~~~~ - - https://review.opendev.org/712167 (Pike) - - https://review.opendev.org/712166 (Queens) - - https://review.opendev.org/712165 (Rocky) - - https://review.opendev.org/712164 (Stein) - - https://review.opendev.org/712163 (Train) - - https://review.opendev.org/712158 (Ussuri) Credits ~~~~~~~ - - Tobias Rydberg from City Network Hosting AB (CVE-2020-9543) References ~~~~~~~~~~ - - https://launchpad.net/bugs/1861485 - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9543 Notes ~~~~~ - - The stable/queens and stable/pike branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy. - -- Goutham Pacha Ravi PTL, OpenStack Manila -----BEGIN PGP SIGNATURE----- wsFcBAEBCAAGBQJeaViCAAoJEDEySBmyuw9iY1gP+wXPu81ibCHxAtEwubPT mA4dnqL4YU9h+pElw8MAyyYAc7yN6dTK64NHdHSAVuj2BgfAKe2xrXqqTzfK gkmVTpkYCbDH7ycbLBWD3gi+6EYKAI9E8T6kOZ47peOZUgTP3B85rrIUjYCA MhFnzkLczbizUdnAJAycghNLIpspZ/6QO/vrOOMT9q8pSTNzoAmmdCfKxFIQ wJRADKQruCi4Btxzi7hYaVzNPqUgLeORszGcQ40U4qbdvK3OCGfYAmnPPxBW 1qBV20fFBvfofzCjJgPnFYAF+O/eyEizDAsWVvyK6K9THiu3QnVBe8Z0wp9i kcxKcEwU1dYb/Y38kzttYk/AyEyAXfwHaz8eEHtlwiyO/aijc2DzVnZN5YPK vwPnORw8o8CoALkyDat9WAwaAdzcIdOhRRWDZ7ScicEReA5lPhy95vMzDX0o 2JXvnrbSMs0/Z7Lopz3dj6R/ZuyZOCxiuYqgGi0Vc/jIbLC98HTjNxbB2Kp+ fQ+tl8ZWpFXOw6WMVcD81qSt4ISGVA33r7iAih42TPL8PLTktZdEe4UIz2lu CM7fUAtnkOK6Duhn/MbpEHuRUwWh7ydmei+wxVuu4MskX82gsUCpeKj6iy3W 7UfrbROm6ux7pOrgUgnH0LKpqO+qS8q3IhZRGJ3S9k+Y0XD2mivBe2hAapRU KRMH =O+Pe -----END PGP SIGNATURE-----

1 0

[OSSA-2020-001] Nova can leak consoleauth token into log files (CVE-2015-9543)
by Jeremy Stanley 19 Feb '20

19 Feb '20

============================================================= OSSA-2020-001: Nova can leak consoleauth token into log files ============================================================= :Date: February 19, 2020 :CVE: CVE-2015-9543 Affects ~~~~~~~ - Nova: <18.2.4,>=19.0.0<19.1.0,>=20.0.0<20.1.0 Description ~~~~~~~~~~~ Paul Carlton from HP reported a vulnerability in Nova. An attacker with read access to the serviceâ€™s logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. Patches ~~~~~~~ - https://review.opendev.org/707845 (Queens) - https://review.opendev.org/704255 (Rocky) - https://review.opendev.org/702181 (Stein) - https://review.opendev.org/696685 (Train) - https://review.opendev.org/220622 (Ussuri) Credits ~~~~~~~ - Paul Carlton from HP (CVE-2015-9543) References ~~~~~~~~~~ - https://launchpad.net/bugs/1492140 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9543 Notes ~~~~~ - The stable/queens branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy. -- Jeremy Stanley, on behalf of OpenStack Vulnerability Management

1 0

[OSSA-2019-006] Credentials API allows listing and retrieving of all users credentials (CVE-2019-19687)
by Gage Hugo 11 Dec '19

11 Dec '19

===================================================================================== OSSA-2019-006: Credentials API allows listing and retrieving of all users credentials ===================================================================================== :Date: December 09, 2019 :CVE: CVE-2019-19687 Affects ~~~~~~~ - Keystone: ==15.0.0, ==16.0.0 Description ~~~~~~~~~~~ Daniel Preussker reported a vulnerability in Keystone's list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when [oslo_policy] enforce_scope is false. Users with a role on a project are able to view any other users credentials, which could leak sign-on information for Time-based One Time Passwords (TOTP) or othewise. Deployments running keystone with [oslo_policy] enforce_scope set to false are affected. There will be a slight performance impact for the list credentials API once this issue is fixed. Patches ~~~~~~~ - https://review.opendev.org/697731 (Stein) - https://review.opendev.org/697611 (Train) - https://review.opendev.org/697355 (Ussuri) Credits ~~~~~~~ - Daniel Preussker (CVE-2019-19687) References ~~~~~~~~~~ - https://bugs.launchpad.net/keystone/+bug/1855080 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19687

1 0

[OSSN-0085] Cinder configuration option can leak secret key from Ceph backend
by Brian Rosmaita 05 Dec '19

05 Dec '19

Cinder configuration option can leak secret key from Ceph backend --- ### Summary ### This vulnerability is present only when Cinder has a Ceph backend *and* the ``rbd_keyring_conf`` option in the Cinder configuration file is set. (The option is unset by default.) Under these circumstances, the keyring content may be leaked to a regular user. ### Affected Services / Software ### Cinder, Pike, Queens, Rocky, Stein, Train ### Discussion ### When the ``rbd_keyring_conf`` option is set, a user who creates a volume and then does a local attach of that volume using the Cinder REST API, may discover the keyring content for the Ceph cluster. (This does not apply to the normal Nova attach process. The user must contact the Cinder REST API directly for this exploit.) If this user then gains access to the Ceph cluster independently of Cinder, these credentials may be used to access any volume in the cluster. This issue was reported by Raphael Glon of OVH. NOTE: This issue is different from OSSA-2019-003, through which Ceph credentials could be leaked from the Nova REST API during error conditions, but we suggest you take this opportunity to review that security advisory and make sure your system has been updated or patched to address it: https://security.openstack.org/ossa/OSSA-2019-003.html ### Recommended Actions ### Any installation currently using the ``rbd_keyring_conf`` option should immediately stop using that option. In order for Cinder backups to continue working, the Ceph keyring secrets should be deployed directly on cinder-backup hosts in their standard location: /etc/ceph/<cluster_name>.client.<user_name>.keyring The ``rbd_keyring_conf`` is deprecated in the Ussuri release and will be removed early in the 'V' development cycle. There is no replacement planned for this functionality. ### Contacts / References ### Author: Brian Rosmaita, Red Hat This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0085 Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1849624 Mailing List : [Security] tag on openstack-discuss(a)lists.openstack.org OpenStack Security Project : https://launchpad.net/~openstack-ossg

1 0

OpenStack Train is officially released!
by Sean McGinnis 16 Oct '19

16 Oct '19

Hello OpenStack community, I'm excited to announce the final releases for the components of OpenStack Train, which conclude the Train development cycle. You will find a complete list of all components, their latest versions, and links to individual project release notes documents listed on the new release site. https://releases.openstack.org/train/ Congratulations to all of the teams who have contributed to this release! Our next production cycle, Ussuri, has already started. We will meet in Shanghai, China, November 6-8 at the Project Team Gathering to plan the work for the upcoming cycle. I hope to see you there! Thanks, Sean McGinnis and the Release Management team

1 0

[OSSA-2019-005] Octavia Amphora-Agent not requiring Client-Certificate (CVE-2019-17134)
by Daniel 'f0o' Preussker 08 Oct '19

08 Oct '19

===================================================================== OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate ===================================================================== :Date: October 07, 2019 :CVE: CVE-2019-17134 Affects ~~~~~~~ - Octavia: >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 Description ~~~~~~~~~~~ Daniel Preussker reported a vulnerability in amphora-agent, running within Octavia Amphora Instances which allows unauthenticated access from the management network. This leads to information disclosure and also allows changes to the configuration of the Amphora via simple HTTP requests because cmd/agent.py gunicorn cert_reqs option is incorrectly set to True instead of ssl.CERT_REQUIRED. Patches ~~~~~~~ - https://review.opendev.org/686547 (Ocata) - https://review.opendev.org/686546 (Pike) - https://review.opendev.org/686545 (Queens) - https://review.opendev.org/686544 (Rocky) - https://review.opendev.org/686543 (Stein) - https://review.opendev.org/686541 (Train) Credits ~~~~~~~ - Daniel Preussker (CVE-2019-17134) References ~~~~~~~~~~ - https://storyboard.openstack.org/#!/story/2006660 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17134 Notes ~~~~~ - The stable/ocata and stable/pike branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy.

1 0