[Openstack-security] [Bug 1850274] Re: Updating any neutron quota for non-existent project works
Jeremy Stanley
fungi at yuggoth.org
Thu Oct 31 12:44:13 UTC 2019
Thanks for the feedback everyone, I've switched this to a regular public
bug and set the security advisory task to won't fix, treating it as a
class D report (hardening opportunity) per the OpenStack VMT's report
taxonomy: https://security.openstack.org/vmt-process.html#incident-
report-taxonomy
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
When we try to update a neutron quota for a non-existent project, we get
a 200ok response. The non-existent project doesn't get created, but am
entry for this project in the quotas table of neutron is made.
PUT network/v2.0/quotas/<non-existent proj-id>
Looks like project validation check is missing in the neutron quota
update flow.
Due to this flaw, multiple PUT calls on fake project ids might result in
filling of quota tables very fast & can be considered a type of DOS
attack.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Private Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1850274
Title:
Updating any neutron quota for non-existent project works
Status in neutron:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
When we try to update a neutron quota for a non-existent project, we
get a 200ok response. The non-existent project doesn't get created,
but am entry for this project in the quotas table of neutron is made.
PUT network/v2.0/quotas/<non-existent proj-id>
Looks like project validation check is missing in the neutron quota
update flow.
Due to this flaw, multiple PUT calls on fake project ids might result
in filling of quota tables very fast & can be considered a type of DOS
attack.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1850274/+subscriptions
More information about the Openstack-security
mailing list