RCE vulnerability in Openstack Murano using insecure YAML tags

:Date: June 23, 2016
:CVE: CVE-2016-4972

- Murano: <=2015.1.1; <=1.0.2; ==2.0.0
- Murano-dashboard: <=2015.1.1; <=1.0.2; ==2.0.0
- Python-muranoclient: <=0.7.2; >=0.8.0<=0.8.4

Kirill Zaitsev from Mirantis reported a vulnerability in OpenStack
Murano applications processing. Using extended YAML tags in Murano
application YAML files, an attacker can perform a Remote Code
Execution attack.

Vulnerability has been verified in all currently supported branches.
Further examination of code suggest, that it is also present in kilo and
juno versions of murano.

- https://review.openstack.org/#/c/333444/ (Liberty)
- https://review.openstack.org/#/c/333425/ (Liberty)
- https://review.openstack.org/#/c/333432/ (Liberty)
- https://review.openstack.org/#/c/333443/ (Mitaka)
- https://review.openstack.org/#/c/333424/ (Mitaka)
- https://review.openstack.org/#/c/333439/ (Mitaka)
- https://review.openstack.org/#/c/333423/ (Newton)
- https://review.openstack.org/#/c/333440/ (Newton)
- https://review.openstack.org/#/c/333428/ (Newton)

- Kirill Zaitsev from Mirantis (CVE-2016-4972)

- https://bugs.launchpad.net/python-muranoclient/+bug/1586078
- https://bugs.launchpad.net/murano/+bug/1586079
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4972

- Fixes for this bug are going to be included in the upcoming releases
  of murano 1.0.3(liberty), 2.0.1(mitaka), 3.0.0(newton) and   
  python-muranoclient 0.7.3(liberty), 0.8.5(mitaka), 0.9.0(newton)

Kirill Zaitsev
Murano Project Technical Lead