OpenStack API authentication information leakage
Bug #732866 reported by
justinsb
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Brian Lamar |
Bug Description
When logging in using the OpenStack API, I should get the same error (401?) if my credentials are wrong no matter what.
However, if I use the password of _anyone_ in the system, I get a 401. If my password does not match anyone in the system, then I get a 500. Obvious birthday-paradox attack.
Thankfully the OpenStack API isn't released yet, so not classifying this as a vulnerability.
Related branches
lp://staging/~justin-fathomdb/nova/test-openstack-login
Superseded
for merging
into
lp://staging/~hudson-openstack/nova/trunk
- Nova Core security contacts: Pending requested
-
Diff: 1177 lines (+1107/-0) (has conflicts)12 files modifiednova/api/openstack/accounts.py (+85/-0)
nova/api/openstack/users.py (+93/-0)
nova/db/sqlalchemy/migrate_repo/versions/010_add_os_type_to_instances.py (+51/-0)
nova/db/sqlalchemy/migrate_repo/versions/011_live_migration.py (+83/-0)
nova/tests/api/openstack/test_accounts.py (+125/-0)
nova/tests/api/openstack/test_users.py (+141/-0)
nova/tests/integrated/__init__.py (+20/-0)
nova/tests/integrated/api/__init__.py (+20/-0)
nova/tests/integrated/api/client.py (+213/-0)
nova/tests/integrated/integrated_helpers.py (+188/-0)
nova/tests/integrated/test_login.py (+79/-0)
nova/virt/cpuinfo.xml.template (+9/-0)
lp://staging/~justin-fathomdb/nova/test-openstack-api
- Devin Carlen (community): Approve
- Cory Wright (community): Approve
- Jay Pipes (community): Approve
-
Diff: 268 lines (+252/-0)3 files modifiednova/tests/integrated/__init__.py (+20/-0)
nova/tests/integrated/api/__init__.py (+20/-0)
nova/tests/integrated/api/client.py (+212/-0)
lp://staging/~blamar/nova/lp732866
- Rick Harris (community): Approve
- Jay Pipes (community): Approve
- justinsb (community): Approve
- Brian Waldon (community): Approve
-
Diff: 168 lines (+44/-25)3 files modifiednova/api/openstack/auth.py (+5/-1)
nova/tests/api/openstack/fakes.py (+4/-1)
nova/tests/api/openstack/test_auth.py (+35/-23)
Changed in nova: | |
assignee: | nobody → Brian Lamar (blamar) |
Changed in nova: | |
status: | Confirmed → In Progress |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in nova: | |
milestone: | none → 2011.2 |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Nice catch.
None of the linked branches directly address this bug, right ? In which case maybe those should be unlinked to avoid giving the impression this is already being addressed ?