[tripleo][core] gerrit breach and auditing all tripleo commits since Oct 01
Jeremy Stanley
fungi at yuggoth.org
Wed Oct 21 14:23:30 UTC 2020
On 2020-10-21 15:02:54 +0300 (+0300), Marios Andreou wrote:
[...]
> I don't think we need to worry that it was 'one of our accounts'
> that was compromised, at least I expect we would have known by now
> if there was any indication that this is the case.
>
> The main concern is if the compromised admin account made any
> commits at all. So the immediate check is to make sure that all
> those commits were in fact merged by 'one of us' and not by any
> unknown account.
[...]
Not quite. The main concern is that the attacker had access (via an
account in Gerrit's Administrators group) to add their own SSH key
or view/add/change the REST API key for any user of the service, so
could in theory have proposed a change masquerading as a regular
member of your team, +2'd it as another member of your team, and
approved it as yet a third member of your team, without necessarily
raising suspicion. While we consider this unlikely, it was entirely
possible for the first few weeks of this month.
Per my other reply on this thread, we already checked that every
commit corresponds to a change in Gerrit, so it should be sufficient
to just skim the last few week's changes and make sure you remember
reviewing/approving them.
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201021/70665eed/attachment.sig>
More information about the openstack-discuss
mailing list