Difference between revisions of "SVG:Advisory-SVG-2016-11190"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> Title: EGI SVG Advisory [TLP:WHITE] 'HIGH' risk - Authorization by user_id to manage VMs does not work in V2.1 Nova API for OpenStack [EGI-SVG-2016...") |
|||
Line 20: | Line 20: | ||
Authorization to manage Virtual Machines by individual user_id does no longer work in V2.1 Nova | Authorization to manage Virtual Machines by individual user_id does no longer work in V2.1 Nova | ||
API for OpenStack. This implies for EGI that users within a VO can for example delete VMs which | API for OpenStack. This implies for EGI that users within a VO can for example delete VMs which | ||
do not belong to them, causing a DoS. | do not belong to them, causing a DoS. | ||
Line 30: | Line 28: | ||
For the time being, sites should not upgrade to V2.1 of the Nova API for OpenStack. | For the time being, sites should not upgrade to V2.1 of the Nova API for OpenStack. | ||
If sites have already upgraded to V2.1 of the Nova API for OpenStack, they should downgrade to | If sites have already upgraded to V2.1 of the Nova API for OpenStack, they should downgrade to 2.0. | ||
2.0. | |||
Affected software details | Affected software details | ||
Line 45: | Line 41: | ||
The risk may be elevated to 'Critical' if it is found that users are able to take over other | The risk may be elevated to 'Critical' if it is found that users are able to take over other | ||
users VMs. | users VMs. | ||
Line 51: | Line 46: | ||
There is also a patch provided by CNRS to re-enable the user based authorization, it may be an | There is also a patch provided by CNRS to re-enable the user based authorization, it may be an | ||
alternative to downgrading but we have had no reports of testing yet. See [R 2] | alternative to downgrading but we have had no reports of testing yet. See [R 2] | ||
Line 68: | Line 62: | ||
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for | ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for | ||
distribution restrictions ** | distribution restrictions ** | ||
Line 100: | Line 93: | ||
the EGI Software Vulnerability Group will take a look. | the EGI Software Vulnerability Group will take a look. | ||
Timeline | Timeline | ||
Line 113: | Line 105: | ||
2016-06-06 EGI SVG Risk Assessment completed | 2016-06-06 EGI SVG Risk Assessment completed | ||
2016-06-07 Advisory/Alert sent to sites | 2016-06-07 Advisory/Alert sent to sites | ||
</pre> | </pre> |
Revision as of 11:26, 7 June 2016
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2016-11190
Title: EGI SVG Advisory [TLP:WHITE] 'HIGH' risk - Authorization by user_id to manage VMs does not work in V2.1 Nova API for OpenStack [EGI-SVG-2016-11190] Date: 2016-06-07 Updated: Affected software and risk ========================== 'High' risk vulnerability concerning OpenStack VM management Authorization by individual user. Package : OpenStack CVE ID : N/A - functionality removed Bug ID : OpenStack - https://bugs.launchpad.net/nova/+bug/1539351 Authorization to manage Virtual Machines by individual user_id does no longer work in V2.1 Nova API for OpenStack. This implies for EGI that users within a VO can for example delete VMs which do not belong to them, causing a DoS. Actions required/recommended ============================ For the time being, sites should not upgrade to V2.1 of the Nova API for OpenStack. If sites have already upgraded to V2.1 of the Nova API for OpenStack, they should downgrade to 2.0. Affected software details ========================= OpenStack Version 2.1 More information ================ See the bug report [R 1] The risk may be elevated to 'Critical' if it is found that users are able to take over other users VMs. A more permanent solution is being worked on. There is also a patch provided by CNRS to re-enable the user based authorization, it may be an alternative to downgrading but we have had no reports of testing yet. See [R 2] Mitigation ========== N/A Component installation information ================================== See the OpenStack site. TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11190 Minor updates may be made without re-distribution to the sites Credit ====== SVG was alerted to this issue by the EGI Federated Cloud team References ========== [R 1] https://bugs.launchpad.net/nova/+bug/1539351 [R 2] https://github.com/vin-c/cloud-security/tree/liberty/patch Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e- mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-2016-11190] 2016-01-29 Deprecated functionality bug opened on OpenStack webpage. 2016------ Software providers involved in investigation 2016-05-31 This issue discussed at the EGI Federated Cloud Task force meeting 2016-06-02 Issue entered as a vulnerability 2016-06-03 SVG agreed an advisory should be issued to sites. 2016-06-06 EGI SVG Risk Assessment completed 2016-06-07 Advisory/Alert sent to sites