From gouthampravi at gmail.com Wed Mar 11 21:31:09 2020 From: gouthampravi at gmail.com (Goutham Pacha Ravi) Date: Wed, 11 Mar 2020 14:31:09 -0700 Subject: [openstack-announce] [OSSA-2020-002] Manila: Unprivileged users can retrieve, use and manipulate share networks (CVE-2020-9543) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ================================================================================= OSSA-2020-002: Unprivileged users can retrieve, use and manipulate share networks ================================================================================= :Date: March 10, 2020 :CVE: CVE-2020-9543 Affects ~~~~~~~ - - Manila: <7.4.1, >=8.0.0 <8.1.1, >=9.0.0 <9.1.1 Description ~~~~~~~~~~~ Tobias Rydberg from City Network Hosting AB reported a vulnerability with the manila's share network APIs. An attacker can retrieve and manipulate share networks that do not belong to them if they possess the share network ID. By exploiting this vulnerability, they can view and manipulate share network subnets and use the share network to create resources such as shares and share groups. Patches ~~~~~~~ - - https://review.opendev.org/712167 (Pike) - - https://review.opendev.org/712166 (Queens) - - https://review.opendev.org/712165 (Rocky) - - https://review.opendev.org/712164 (Stein) - - https://review.opendev.org/712163 (Train) - - https://review.opendev.org/712158 (Ussuri) Credits ~~~~~~~ - - Tobias Rydberg from City Network Hosting AB (CVE-2020-9543) References ~~~~~~~~~~ - - https://launchpad.net/bugs/1861485 - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9543 Notes ~~~~~ - - The stable/queens and stable/pike branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy. - -- Goutham Pacha Ravi PTL, OpenStack Manila -----BEGIN PGP SIGNATURE----- wsFcBAEBCAAGBQJeaViCAAoJEDEySBmyuw9iY1gP+wXPu81ibCHxAtEwubPT mA4dnqL4YU9h+pElw8MAyyYAc7yN6dTK64NHdHSAVuj2BgfAKe2xrXqqTzfK gkmVTpkYCbDH7ycbLBWD3gi+6EYKAI9E8T6kOZ47peOZUgTP3B85rrIUjYCA MhFnzkLczbizUdnAJAycghNLIpspZ/6QO/vrOOMT9q8pSTNzoAmmdCfKxFIQ wJRADKQruCi4Btxzi7hYaVzNPqUgLeORszGcQ40U4qbdvK3OCGfYAmnPPxBW 1qBV20fFBvfofzCjJgPnFYAF+O/eyEizDAsWVvyK6K9THiu3QnVBe8Z0wp9i kcxKcEwU1dYb/Y38kzttYk/AyEyAXfwHaz8eEHtlwiyO/aijc2DzVnZN5YPK vwPnORw8o8CoALkyDat9WAwaAdzcIdOhRRWDZ7ScicEReA5lPhy95vMzDX0o 2JXvnrbSMs0/Z7Lopz3dj6R/ZuyZOCxiuYqgGi0Vc/jIbLC98HTjNxbB2Kp+ fQ+tl8ZWpFXOw6WMVcD81qSt4ISGVA33r7iAih42TPL8PLTktZdEe4UIz2lu CM7fUAtnkOK6Duhn/MbpEHuRUwWh7ydmei+wxVuu4MskX82gsUCpeKj6iy3W 7UfrbROm6ux7pOrgUgnH0LKpqO+qS8q3IhZRGJ3S9k+Y0XD2mivBe2hAapRU KRMH =O+Pe -----END PGP SIGNATURE-----