2019-04-04 16:10:35 |
Eric Harney |
bug |
|
|
added bug |
2019-04-04 16:13:28 |
Eric Harney |
bug |
|
|
added subscriber Summer Long |
2019-04-04 16:34:46 |
Eric Harney |
bug |
|
|
added subscriber Matan Sabag |
2019-04-04 16:34:58 |
Eric Harney |
bug |
|
|
added subscriber Helen Walsh |
2019-04-04 17:07:44 |
Jeremy Stanley |
description |
The ScaleIO driver uses the backend storage login and password for authentication for connections to the volume as well as the management API.
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n176
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n229
This has a few serious implications:
a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume. Most drivers create per-volume credentials.
b) A user can create a volume, retrieve the username/password from that volume, and use it to connect to the ScaleIO management API and presumably do lots of things they shouldn't be allowed to. Most drivers create credentials for volumes that are independent of the management credentials.
c) If the password is changed on the backend ScaleIO volumes that are currently being used stop working, because Nova stores the old password in its block_device_mapping table. (Not a security problem other than the fact that it prevents rotation of passwords, but definitely a bug.)
Parts of these issues are separately being looked at in bug 1736773, (which generally advises that in some clouds, only Nova should be able to see connection info, not end users) but the situation there is worse for the ScaleIO driver because most drivers only put usernames/passwords in connection_info that are usable for a single volume, not for the storage backend itself. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
The ScaleIO driver uses the backend storage login and password for authentication for connections to the volume as well as the management API.
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n176
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n229
This has a few serious implications:
a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume. Most drivers create per-volume credentials.
b) A user can create a volume, retrieve the username/password from that volume, and use it to connect to the ScaleIO management API and presumably do lots of things they shouldn't be allowed to. Most drivers create credentials for volumes that are independent of the management credentials.
c) If the password is changed on the backend ScaleIO volumes that are currently being used stop working, because Nova stores the old password in its block_device_mapping table. (Not a security problem other than the fact that it prevents rotation of passwords, but definitely a bug.)
Parts of these issues are separately being looked at in bug 1736773, (which generally advises that in some clouds, only Nova should be able to see connection info, not end users) but the situation there is worse for the ScaleIO driver because most drivers only put usernames/passwords in connection_info that are usable for a single volume, not for the storage backend itself. |
|
2019-04-04 17:07:57 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2019-04-04 17:08:06 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2019-04-04 17:08:31 |
Jeremy Stanley |
bug |
|
|
added subscriber Cinder Core security contacts |
2020-02-27 23:52:45 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
The ScaleIO driver uses the backend storage login and password for authentication for connections to the volume as well as the management API.
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n176
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n229
This has a few serious implications:
a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume. Most drivers create per-volume credentials.
b) A user can create a volume, retrieve the username/password from that volume, and use it to connect to the ScaleIO management API and presumably do lots of things they shouldn't be allowed to. Most drivers create credentials for volumes that are independent of the management credentials.
c) If the password is changed on the backend ScaleIO volumes that are currently being used stop working, because Nova stores the old password in its block_device_mapping table. (Not a security problem other than the fact that it prevents rotation of passwords, but definitely a bug.)
Parts of these issues are separately being looked at in bug 1736773, (which generally advises that in some clouds, only Nova should be able to see connection info, not end users) but the situation there is worse for the ScaleIO driver because most drivers only put usernames/passwords in connection_info that are usable for a single volume, not for the storage backend itself. |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2020-05-27 and will be made
public by or on that date if no fix is identified.
The ScaleIO driver uses the backend storage login and password for authentication for connections to the volume as well as the management API.
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n176
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n229
This has a few serious implications:
a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume. Most drivers create per-volume credentials.
b) A user can create a volume, retrieve the username/password from that volume, and use it to connect to the ScaleIO management API and presumably do lots of things they shouldn't be allowed to. Most drivers create credentials for volumes that are independent of the management credentials.
c) If the password is changed on the backend ScaleIO volumes that are currently being used stop working, because Nova stores the old password in its block_device_mapping table. (Not a security problem other than the fact that it prevents rotation of passwords, but definitely a bug.)
Parts of these issues are separately being looked at in bug 1736773, (which generally advises that in some clouds, only Nova should be able to see connection info, not end users) but the situation there is worse for the ScaleIO driver because most drivers only put usernames/passwords in connection_info that are usable for a single volume, not for the storage backend itself. |
|
2020-04-27 22:34:07 |
Sean McGinnis |
cinder: assignee |
|
Ivan Pchelintsev (pcheli) |
|
2020-05-13 09:28:51 |
Sean McGinnis |
bug |
|
|
added subscriber Ivan Pchelintsev |
2020-05-19 11:35:25 |
Ivan Pchelintsev |
attachment added |
|
cinder.patch https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5374057/+files/cinder.patch |
|
2020-05-19 11:35:55 |
Ivan Pchelintsev |
attachment added |
|
os-brick.patch https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5374058/+files/os-brick.patch |
|
2020-05-19 18:12:43 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2020-05-27 and will be made
public by or on that date if no fix is identified.
The ScaleIO driver uses the backend storage login and password for authentication for connections to the volume as well as the management API.
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n176
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n229
This has a few serious implications:
a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume. Most drivers create per-volume credentials.
b) A user can create a volume, retrieve the username/password from that volume, and use it to connect to the ScaleIO management API and presumably do lots of things they shouldn't be allowed to. Most drivers create credentials for volumes that are independent of the management credentials.
c) If the password is changed on the backend ScaleIO volumes that are currently being used stop working, because Nova stores the old password in its block_device_mapping table. (Not a security problem other than the fact that it prevents rotation of passwords, but definitely a bug.)
Parts of these issues are separately being looked at in bug 1736773, (which generally advises that in some clouds, only Nova should be able to see connection info, not end users) but the situation there is worse for the ScaleIO driver because most drivers only put usernames/passwords in connection_info that are usable for a single volume, not for the storage backend itself. |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2020-05-27 and will be made
public by or on that date even if no fix is identified.
The ScaleIO driver uses the backend storage login and password for authentication for connections to the volume as well as the management API.
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n176
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n229
This has a few serious implications:
a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume. Most drivers create per-volume credentials.
b) A user can create a volume, retrieve the username/password from that volume, and use it to connect to the ScaleIO management API and presumably do lots of things they shouldn't be allowed to. Most drivers create credentials for volumes that are independent of the management credentials.
c) If the password is changed on the backend ScaleIO volumes that are currently being used stop working, because Nova stores the old password in its block_device_mapping table. (Not a security problem other than the fact that it prevents rotation of passwords, but definitely a bug.)
Parts of these issues are separately being looked at in bug 1736773, (which generally advises that in some clouds, only Nova should be able to see connection info, not end users) but the situation there is worse for the ScaleIO driver because most drivers only put usernames/passwords in connection_info that are usable for a single volume, not for the storage backend itself. |
|
2020-05-21 02:17:14 |
Walt Boring |
cinder: importance |
Undecided |
High |
|
2020-05-21 08:35:42 |
Ivan Pchelintsev |
attachment removed |
os-brick.patch https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5374058/+files/os-brick.patch |
|
|
2020-05-21 08:36:14 |
Ivan Pchelintsev |
attachment added |
|
os-brick.patch https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5375048/+files/os-brick.patch |
|
2020-05-21 09:07:06 |
Ivan Pchelintsev |
attachment added |
|
bug1823200.tar.gz https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5375080/+files/bug1823200.tar.gz |
|
2020-05-22 09:41:23 |
Ivan Pchelintsev |
bug |
|
|
added subscriber Vladislav Belogrudov |
2020-05-26 15:55:14 |
Brian Rosmaita |
cinder: status |
New |
In Progress |
|
2020-05-26 17:28:18 |
Brian Rosmaita |
attachment added |
|
0001-Add-OSSN-0086.patch https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5377033/+files/0001-Add-OSSN-0086.patch |
|
2020-05-26 19:31:28 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2020-05-27 and will be made
public by or on that date even if no fix is identified.
The ScaleIO driver uses the backend storage login and password for authentication for connections to the volume as well as the management API.
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n176
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n229
This has a few serious implications:
a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume. Most drivers create per-volume credentials.
b) A user can create a volume, retrieve the username/password from that volume, and use it to connect to the ScaleIO management API and presumably do lots of things they shouldn't be allowed to. Most drivers create credentials for volumes that are independent of the management credentials.
c) If the password is changed on the backend ScaleIO volumes that are currently being used stop working, because Nova stores the old password in its block_device_mapping table. (Not a security problem other than the fact that it prevents rotation of passwords, but definitely a bug.)
Parts of these issues are separately being looked at in bug 1736773, (which generally advises that in some clouds, only Nova should be able to see connection info, not end users) but the situation there is worse for the ScaleIO driver because most drivers only put usernames/passwords in connection_info that are usable for a single volume, not for the storage backend itself. |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2020-06-03 and will be made
public by or on that date even if no fix is identified.
The ScaleIO driver uses the backend storage login and password for authentication for connections to the volume as well as the management API.
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n176
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n229
This has a few serious implications:
a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume. Most drivers create per-volume credentials.
b) A user can create a volume, retrieve the username/password from that volume, and use it to connect to the ScaleIO management API and presumably do lots of things they shouldn't be allowed to. Most drivers create credentials for volumes that are independent of the management credentials.
c) If the password is changed on the backend ScaleIO volumes that are currently being used stop working, because Nova stores the old password in its block_device_mapping table. (Not a security problem other than the fact that it prevents rotation of passwords, but definitely a bug.)
Parts of these issues are separately being looked at in bug 1736773, (which generally advises that in some clouds, only Nova should be able to see connection info, not end users) but the situation there is worse for the ScaleIO driver because most drivers only put usernames/passwords in connection_info that are usable for a single volume, not for the storage backend itself. |
|
2020-05-27 12:47:29 |
Ivan Pchelintsev |
attachment added |
|
tempest_console.log https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5377399/+files/tempest_console.log |
|
2020-05-27 14:29:22 |
Ivan Pchelintsev |
attachment added |
|
bug1823200_train.tar.gz https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5377417/+files/bug1823200_train.tar.gz |
|
2020-05-27 15:47:12 |
Vladislav Belogrudov |
bug |
|
|
added subscriber Rajini Karthik |
2020-05-27 15:47:39 |
Vladislav Belogrudov |
bug |
|
|
added subscriber arkady kanevsky |
2020-05-28 12:12:26 |
Ivan Pchelintsev |
attachment added |
|
bug1823200_stein.tar.gz https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5377861/+files/bug1823200_stein.tar.gz |
|
2020-05-29 12:39:40 |
Ivan Pchelintsev |
attachment added |
|
bug1823200_rocky.tar.gz https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5378388/+files/bug1823200_rocky.tar.gz |
|
2020-05-29 20:04:26 |
Jeremy Stanley |
bug task added |
|
ossn |
|
2020-05-29 20:04:39 |
Jeremy Stanley |
ossa: status |
Incomplete |
Won't Fix |
|
2020-05-29 20:10:31 |
Jeremy Stanley |
ossn: assignee |
|
Brian Rosmaita (brian-rosmaita) |
|
2020-05-29 20:21:04 |
Jeremy Stanley |
bug task added |
|
ossp-security-documentation |
|
2020-05-29 20:21:55 |
Jeremy Stanley |
bug task added |
|
os-brick |
|
2020-05-29 20:43:23 |
Brian Rosmaita |
bug |
|
|
added subscriber Nick Tait |
2020-05-29 20:53:40 |
Brian Rosmaita |
nominated for series |
|
cinder/stein |
|
2020-05-29 20:53:40 |
Brian Rosmaita |
bug task added |
|
cinder/stein |
|
2020-05-29 20:53:40 |
Brian Rosmaita |
nominated for series |
|
cinder/rocky |
|
2020-05-29 20:53:40 |
Brian Rosmaita |
bug task added |
|
cinder/rocky |
|
2020-05-29 20:53:40 |
Brian Rosmaita |
nominated for series |
|
cinder/train |
|
2020-05-29 20:53:40 |
Brian Rosmaita |
bug task added |
|
cinder/train |
|
2020-05-29 20:53:40 |
Brian Rosmaita |
nominated for series |
|
cinder/victoria |
|
2020-05-29 20:53:40 |
Brian Rosmaita |
bug task added |
|
cinder/victoria |
|
2020-05-29 20:53:40 |
Brian Rosmaita |
nominated for series |
|
cinder/ussuri |
|
2020-05-29 20:53:40 |
Brian Rosmaita |
bug task added |
|
cinder/ussuri |
|
2020-05-29 20:53:40 |
Brian Rosmaita |
nominated for series |
|
cinder/queens |
|
2020-05-29 20:53:40 |
Brian Rosmaita |
bug task added |
|
cinder/queens |
|
2020-05-29 20:56:53 |
Brian Rosmaita |
cinder/queens: importance |
Undecided |
High |
|
2020-05-29 20:56:53 |
Brian Rosmaita |
cinder/queens: status |
New |
In Progress |
|
2020-05-29 20:56:53 |
Brian Rosmaita |
cinder/queens: milestone |
|
queens-em |
|
2020-05-29 20:56:53 |
Brian Rosmaita |
cinder/queens: assignee |
|
Ivan Pchelintsev (pcheli) |
|
2020-05-29 20:57:44 |
Brian Rosmaita |
cinder/rocky: importance |
Undecided |
High |
|
2020-05-29 20:57:44 |
Brian Rosmaita |
cinder/rocky: status |
New |
In Progress |
|
2020-05-29 20:57:44 |
Brian Rosmaita |
cinder/rocky: milestone |
|
rocky-em |
|
2020-05-29 20:57:44 |
Brian Rosmaita |
cinder/rocky: assignee |
|
Ivan Pchelintsev (pcheli) |
|
2020-05-29 20:58:39 |
Brian Rosmaita |
cinder/stein: importance |
Undecided |
High |
|
2020-05-29 20:58:39 |
Brian Rosmaita |
cinder/stein: status |
New |
In Progress |
|
2020-05-29 20:58:39 |
Brian Rosmaita |
cinder/stein: milestone |
|
14.0.5 |
|
2020-05-29 20:58:39 |
Brian Rosmaita |
cinder/stein: assignee |
|
Ivan Pchelintsev (pcheli) |
|
2020-05-29 20:59:14 |
Brian Rosmaita |
cinder/train: importance |
Undecided |
High |
|
2020-05-29 20:59:14 |
Brian Rosmaita |
cinder/train: status |
New |
In Progress |
|
2020-05-29 20:59:14 |
Brian Rosmaita |
cinder/train: milestone |
|
15.1.1 |
|
2020-05-29 20:59:14 |
Brian Rosmaita |
cinder/train: assignee |
|
Ivan Pchelintsev (pcheli) |
|
2020-05-29 20:59:47 |
Brian Rosmaita |
cinder/ussuri: importance |
Undecided |
High |
|
2020-05-29 20:59:47 |
Brian Rosmaita |
cinder/ussuri: status |
New |
In Progress |
|
2020-05-29 20:59:47 |
Brian Rosmaita |
cinder/ussuri: milestone |
|
16.0.1 |
|
2020-05-29 20:59:47 |
Brian Rosmaita |
cinder/ussuri: assignee |
|
Ivan Pchelintsev (pcheli) |
|
2020-05-29 21:00:08 |
Brian Rosmaita |
cinder/victoria: milestone |
|
victoria-1 |
|
2020-05-29 21:01:27 |
Brian Rosmaita |
os-brick: importance |
Undecided |
High |
|
2020-05-29 21:01:27 |
Brian Rosmaita |
os-brick: status |
New |
In Progress |
|
2020-05-29 21:01:27 |
Brian Rosmaita |
os-brick: milestone |
|
3.1.0 |
|
2020-05-29 21:01:27 |
Brian Rosmaita |
os-brick: assignee |
|
Ivan Pchelintsev (pcheli) |
|
2020-05-29 21:02:06 |
Brian Rosmaita |
ossn: status |
New |
In Progress |
|
2020-05-29 21:14:46 |
Brian Rosmaita |
attachment added |
|
0001-Add-OSSN-0086.patch https://bugs.launchpad.net/ossn/+bug/1823200/+attachment/5378586/+files/0001-Add-OSSN-0086.patch |
|
2020-05-29 21:15:02 |
Brian Rosmaita |
attachment removed |
0001-Add-OSSN-0086.patch https://bugs.launchpad.net/ossn/+bug/1823200/+attachment/5377033/+files/0001-Add-OSSN-0086.patch |
|
|
2020-05-29 22:19:53 |
Brian Rosmaita |
attachment added |
|
0001-Add-release-note-for-Bug-1823200.patch https://bugs.launchpad.net/cinder/queens/+bug/1823200/+attachment/5378587/+files/0001-Add-release-note-for-Bug-1823200.patch |
|
2020-05-30 00:01:36 |
Brian Rosmaita |
attachment added |
|
os-brick-master-release-note-for-Bug-1823200.patch https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5378598/+files/os-brick-master-release-note-for-Bug-1823200.patch |
|
2020-05-30 02:12:47 |
Brian Rosmaita |
attachment added |
|
cinder-master-release-note-for-Bug-1823200.patch https://bugs.launchpad.net/cinder/queens/+bug/1823200/+attachment/5378645/+files/cinder-master-release-note-for-Bug-1823200.patch |
|
2020-05-30 02:13:00 |
Brian Rosmaita |
attachment removed |
0001-Add-release-note-for-Bug-1823200.patch https://bugs.launchpad.net/cinder/queens/+bug/1823200/+attachment/5378587/+files/0001-Add-release-note-for-Bug-1823200.patch |
|
|
2020-06-02 03:36:58 |
Brian Rosmaita |
attachment added |
|
bug-18232000-release-notes.tar https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5379622/+files/bug-18232000-release-notes.tar |
|
2020-06-02 17:35:03 |
Brian Rosmaita |
attachment removed |
0001-Add-OSSN-0086.patch https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5378586/+files/0001-Add-OSSN-0086.patch |
|
|
2020-06-02 17:36:27 |
Brian Rosmaita |
attachment added |
|
Add-OSSN-0086_still-needs-urls.patch https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5379842/+files/Add-OSSN-0086_still-needs-urls.patch |
|
2020-06-02 17:51:14 |
Brian Rosmaita |
attachment removed |
Add-OSSN-0086_still-needs-urls.patch https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5379842/+files/Add-OSSN-0086_still-needs-urls.patch |
|
|
2020-06-02 17:51:54 |
Brian Rosmaita |
attachment added |
|
Add-OSSN-0086_still-needs-urls.patch https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5379843/+files/Add-OSSN-0086_still-needs-urls.patch |
|
2020-06-02 18:04:59 |
Brian Rosmaita |
attachment removed |
bug-18232000-release-notes.tar https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5379622/+files/bug-18232000-release-notes.tar |
|
|
2020-06-02 18:06:35 |
Brian Rosmaita |
attachment added |
|
bug-18232000-release-notes_new.tar https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5379856/+files/bug-18232000-release-notes_new.tar |
|
2020-06-02 18:07:15 |
Brian Rosmaita |
attachment removed |
os-brick-master-release-note-for-Bug-1823200.patch https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5378598/+files/os-brick-master-release-note-for-Bug-1823200.patch |
|
|
2020-06-02 18:07:31 |
Brian Rosmaita |
attachment removed |
cinder-master-release-note-for-Bug-1823200.patch https://bugs.launchpad.net/cinder/+bug/1823200/+attachment/5378645/+files/cinder-master-release-note-for-Bug-1823200.patch |
|
|
2020-06-03 11:17:49 |
Brian Rosmaita |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2020-06-03 and will be made
public by or on that date even if no fix is identified.
The ScaleIO driver uses the backend storage login and password for authentication for connections to the volume as well as the management API.
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n176
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n229
This has a few serious implications:
a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume. Most drivers create per-volume credentials.
b) A user can create a volume, retrieve the username/password from that volume, and use it to connect to the ScaleIO management API and presumably do lots of things they shouldn't be allowed to. Most drivers create credentials for volumes that are independent of the management credentials.
c) If the password is changed on the backend ScaleIO volumes that are currently being used stop working, because Nova stores the old password in its block_device_mapping table. (Not a security problem other than the fact that it prevents rotation of passwords, but definitely a bug.)
Parts of these issues are separately being looked at in bug 1736773, (which generally advises that in some clouds, only Nova should be able to see connection info, not end users) but the situation there is worse for the ScaleIO driver because most drivers only put usernames/passwords in connection_info that are usable for a single volume, not for the storage backend itself. |
The ScaleIO driver uses the backend storage login and password for authentication for connections to the volume as well as the management API.
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n176
https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/drivers/dell_emc/scaleio/driver.py?h=13.0.4#n229
This has a few serious implications:
a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume. Most drivers create per-volume credentials.
b) A user can create a volume, retrieve the username/password from that volume, and use it to connect to the ScaleIO management API and presumably do lots of things they shouldn't be allowed to. Most drivers create credentials for volumes that are independent of the management credentials.
c) If the password is changed on the backend ScaleIO volumes that are currently being used stop working, because Nova stores the old password in its block_device_mapping table. (Not a security problem other than the fact that it prevents rotation of passwords, but definitely a bug.)
Parts of these issues are separately being looked at in bug 1736773, (which generally advises that in some clouds, only Nova should be able to see connection info, not end users) but the situation there is worse for the ScaleIO driver because most drivers only put usernames/passwords in connection_info that are usable for a single volume, not for the storage backend itself. |
|
2020-06-03 11:18:14 |
Brian Rosmaita |
information type |
Private Security |
Public |
|
2020-06-03 11:18:30 |
Brian Rosmaita |
tags |
|
security |
|
2020-06-03 14:46:48 |
OpenStack Infra |
os-brick: status |
In Progress |
Fix Released |
|
2020-06-03 16:26:18 |
OpenStack Infra |
cinder/ussuri: status |
In Progress |
Fix Committed |
|
2020-06-03 16:58:43 |
OpenStack Infra |
cinder/train: status |
In Progress |
Fix Committed |
|
2020-06-03 16:58:52 |
OpenStack Infra |
cinder/stein: status |
In Progress |
Fix Committed |
|
2020-06-03 16:59:00 |
OpenStack Infra |
cinder/rocky: status |
In Progress |
Fix Committed |
|
2020-06-03 16:59:09 |
OpenStack Infra |
cinder/queens: status |
In Progress |
Fix Committed |
|
2020-06-03 17:35:25 |
OpenStack Infra |
ossp-security-documentation: status |
In Progress |
Fix Released |
|
2020-06-03 18:20:22 |
Brian Rosmaita |
cve linked |
|
2020-10755 |
|
2020-06-04 14:11:32 |
OpenStack Infra |
cinder: assignee |
Ivan Pchelintsev (pcheli) |
Sean McGinnis (sean-mcginnis) |
|
2020-06-04 20:25:03 |
OpenStack Infra |
cinder: status |
In Progress |
Fix Released |
|
2020-06-22 20:26:31 |
Corey Bryant |
bug task added |
|
python-os-brick (Ubuntu) |
|
2020-06-22 20:26:55 |
Corey Bryant |
bug task added |
|
cinder (Ubuntu) |
|
2020-06-22 20:27:19 |
Corey Bryant |
nominated for series |
|
Ubuntu Bionic |
|
2020-06-22 20:27:19 |
Corey Bryant |
bug task added |
|
cinder (Ubuntu Bionic) |
|
2020-06-22 20:27:19 |
Corey Bryant |
bug task added |
|
python-os-brick (Ubuntu Bionic) |
|
2020-06-22 20:27:19 |
Corey Bryant |
nominated for series |
|
Ubuntu Focal |
|
2020-06-22 20:27:19 |
Corey Bryant |
bug task added |
|
cinder (Ubuntu Focal) |
|
2020-06-22 20:27:19 |
Corey Bryant |
bug task added |
|
python-os-brick (Ubuntu Focal) |
|
2020-06-22 20:27:19 |
Corey Bryant |
nominated for series |
|
Ubuntu Groovy |
|
2020-06-22 20:27:19 |
Corey Bryant |
bug task added |
|
cinder (Ubuntu Groovy) |
|
2020-06-22 20:27:19 |
Corey Bryant |
bug task added |
|
python-os-brick (Ubuntu Groovy) |
|
2020-06-22 20:27:19 |
Corey Bryant |
nominated for series |
|
Ubuntu Eoan |
|
2020-06-22 20:27:19 |
Corey Bryant |
bug task added |
|
cinder (Ubuntu Eoan) |
|
2020-06-22 20:27:19 |
Corey Bryant |
bug task added |
|
python-os-brick (Ubuntu Eoan) |
|
2020-06-22 20:27:52 |
Corey Bryant |
python-os-brick (Ubuntu Groovy): importance |
Undecided |
High |
|
2020-06-22 20:27:52 |
Corey Bryant |
python-os-brick (Ubuntu Groovy): status |
New |
Triaged |
|
2020-06-22 20:28:03 |
Ubuntu Foundations Team Bug Bot |
tags |
security |
patch security |
|
2020-06-22 20:28:08 |
Corey Bryant |
python-os-brick (Ubuntu Focal): importance |
Undecided |
High |
|
2020-06-22 20:28:08 |
Corey Bryant |
python-os-brick (Ubuntu Focal): status |
New |
Triaged |
|
2020-06-22 20:28:12 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2020-06-22 20:28:25 |
Corey Bryant |
python-os-brick (Ubuntu Eoan): importance |
Undecided |
High |
|
2020-06-22 20:28:25 |
Corey Bryant |
python-os-brick (Ubuntu Eoan): status |
New |
Triaged |
|
2020-06-22 20:28:43 |
Corey Bryant |
python-os-brick (Ubuntu Bionic): importance |
Undecided |
High |
|
2020-06-22 20:28:43 |
Corey Bryant |
python-os-brick (Ubuntu Bionic): status |
New |
Triaged |
|
2020-06-22 20:29:04 |
Corey Bryant |
python-os-brick (Ubuntu Groovy): status |
Triaged |
Fix Released |
|
2020-06-22 20:29:26 |
Corey Bryant |
cinder (Ubuntu Groovy): importance |
Undecided |
High |
|
2020-06-22 20:29:26 |
Corey Bryant |
cinder (Ubuntu Groovy): status |
New |
Triaged |
|
2020-06-22 20:29:44 |
Corey Bryant |
cinder (Ubuntu Focal): importance |
Undecided |
High |
|
2020-06-22 20:29:44 |
Corey Bryant |
cinder (Ubuntu Focal): status |
New |
Triaged |
|
2020-06-22 20:29:59 |
Corey Bryant |
cinder (Ubuntu Eoan): importance |
Undecided |
High |
|
2020-06-22 20:29:59 |
Corey Bryant |
cinder (Ubuntu Eoan): status |
New |
Triaged |
|
2020-06-22 20:30:16 |
Corey Bryant |
cinder (Ubuntu Bionic): importance |
Undecided |
High |
|
2020-06-22 20:30:16 |
Corey Bryant |
cinder (Ubuntu Bionic): status |
New |
Triaged |
|
2020-06-22 20:30:36 |
Corey Bryant |
bug task added |
|
cloud-archive |
|
2020-06-22 20:30:56 |
Corey Bryant |
nominated for series |
|
cloud-archive/stein |
|
2020-06-22 20:30:56 |
Corey Bryant |
bug task added |
|
cloud-archive/stein |
|
2020-06-22 20:30:56 |
Corey Bryant |
nominated for series |
|
cloud-archive/train |
|
2020-06-22 20:30:56 |
Corey Bryant |
bug task added |
|
cloud-archive/train |
|
2020-06-22 20:30:56 |
Corey Bryant |
nominated for series |
|
cloud-archive/rocky |
|
2020-06-22 20:30:56 |
Corey Bryant |
bug task added |
|
cloud-archive/rocky |
|
2020-06-22 20:30:56 |
Corey Bryant |
nominated for series |
|
cloud-archive/queens |
|
2020-06-22 20:30:56 |
Corey Bryant |
bug task added |
|
cloud-archive/queens |
|
2020-06-22 20:30:56 |
Corey Bryant |
nominated for series |
|
cloud-archive/victoria |
|
2020-06-22 20:30:56 |
Corey Bryant |
bug task added |
|
cloud-archive/victoria |
|
2020-06-22 20:30:56 |
Corey Bryant |
nominated for series |
|
cloud-archive/ussuri |
|
2020-06-22 20:30:56 |
Corey Bryant |
bug task added |
|
cloud-archive/ussuri |
|
2020-06-22 20:31:22 |
Corey Bryant |
cloud-archive/victoria: importance |
Undecided |
High |
|
2020-06-22 20:31:22 |
Corey Bryant |
cloud-archive/victoria: status |
New |
Triaged |
|
2020-06-22 20:31:40 |
Corey Bryant |
cloud-archive/ussuri: importance |
Undecided |
High |
|
2020-06-22 20:31:40 |
Corey Bryant |
cloud-archive/ussuri: status |
New |
Triaged |
|
2020-06-22 20:31:59 |
Corey Bryant |
cloud-archive/train: importance |
Undecided |
High |
|
2020-06-22 20:31:59 |
Corey Bryant |
cloud-archive/train: status |
New |
Triaged |
|
2020-06-22 20:32:14 |
Corey Bryant |
cloud-archive/stein: importance |
Undecided |
High |
|
2020-06-22 20:32:14 |
Corey Bryant |
cloud-archive/stein: status |
New |
Triaged |
|
2020-06-22 20:32:30 |
Corey Bryant |
cloud-archive/rocky: importance |
Undecided |
High |
|
2020-06-22 20:32:30 |
Corey Bryant |
cloud-archive/rocky: status |
New |
Triaged |
|
2020-06-22 20:32:47 |
Corey Bryant |
cloud-archive/queens: importance |
Undecided |
High |
|
2020-06-22 20:32:47 |
Corey Bryant |
cloud-archive/queens: status |
New |
Triaged |
|
2020-06-25 05:47:47 |
Launchpad Janitor |
cinder (Ubuntu Groovy): status |
Triaged |
Fix Released |
|
2020-06-30 20:00:58 |
Corey Bryant |
cloud-archive: status |
Triaged |
Fix Committed |
|
2020-07-01 16:42:24 |
Corey Bryant |
cloud-archive: status |
Fix Committed |
Fix Released |
|
2020-07-01 16:44:38 |
Corey Bryant |
cloud-archive/train: status |
Triaged |
Fix Committed |
|
2020-07-01 16:44:42 |
Corey Bryant |
tags |
patch security |
patch security verification-train-needed |
|
2020-07-01 16:55:27 |
Corey Bryant |
cloud-archive/stein: status |
Triaged |
Fix Committed |
|
2020-07-01 16:55:31 |
Corey Bryant |
tags |
patch security verification-train-needed |
patch security verification-stein-needed verification-train-needed |
|
2020-07-01 16:59:16 |
Corey Bryant |
cloud-archive/rocky: status |
Triaged |
Fix Committed |
|
2020-07-01 16:59:20 |
Corey Bryant |
tags |
patch security verification-stein-needed verification-train-needed |
patch security verification-rocky-needed verification-stein-needed verification-train-needed |
|
2020-07-07 14:01:28 |
Launchpad Janitor |
python-os-brick (Ubuntu Focal): status |
Triaged |
Fix Released |
|
2020-07-07 14:01:35 |
Launchpad Janitor |
python-os-brick (Ubuntu Bionic): status |
Triaged |
Fix Released |
|
2020-07-07 14:11:36 |
Launchpad Janitor |
cinder (Ubuntu Focal): status |
Triaged |
Fix Released |
|
2020-07-07 14:21:40 |
Launchpad Janitor |
cinder (Ubuntu Bionic): status |
Triaged |
Fix Released |
|
2020-07-07 17:03:52 |
Corey Bryant |
cloud-archive/ussuri: status |
Triaged |
Fix Committed |
|
2020-07-07 17:03:55 |
Corey Bryant |
tags |
patch security verification-rocky-needed verification-stein-needed verification-train-needed |
patch security verification-rocky-needed verification-stein-needed verification-train-needed verification-ussuri-needed |
|
2020-07-08 15:45:28 |
Corey Bryant |
cloud-archive/ussuri: status |
Fix Committed |
Fix Released |
|
2020-07-08 16:55:26 |
Corey Bryant |
cloud-archive/train: status |
Fix Committed |
Fix Released |
|
2020-07-08 19:07:37 |
Corey Bryant |
cinder (Ubuntu Eoan): status |
Triaged |
Won't Fix |
|
2020-07-08 19:08:02 |
Corey Bryant |
python-os-brick (Ubuntu Eoan): status |
Triaged |
Won't Fix |
|
2020-07-08 21:11:33 |
Corey Bryant |
cloud-archive/stein: status |
Fix Committed |
Fix Released |
|
2020-07-08 21:12:12 |
Corey Bryant |
cloud-archive/rocky: status |
Fix Committed |
Fix Released |
|
2020-07-09 17:48:32 |
Corey Bryant |
cloud-archive/queens: status |
Triaged |
Fix Committed |
|
2020-07-09 17:48:35 |
Corey Bryant |
tags |
patch security verification-rocky-needed verification-stein-needed verification-train-needed verification-ussuri-needed |
patch security verification-queens-needed verification-rocky-needed verification-stein-needed verification-train-needed verification-ussuri-needed |
|
2020-07-13 13:57:14 |
Corey Bryant |
cloud-archive/queens: status |
Fix Committed |
Fix Released |
|
2020-07-24 19:31:14 |
OpenStack Infra |
tags |
patch security verification-queens-needed verification-rocky-needed verification-stein-needed verification-train-needed verification-ussuri-needed |
in-stable-pike patch security verification-queens-needed verification-rocky-needed verification-stein-needed verification-train-needed verification-ussuri-needed |
|
2020-08-17 21:12:32 |
OpenStack Infra |
tags |
in-stable-pike patch security verification-queens-needed verification-rocky-needed verification-stein-needed verification-train-needed verification-ussuri-needed |
in-stable-pike in-stable-ussuri patch security verification-queens-needed verification-rocky-needed verification-stein-needed verification-train-needed verification-ussuri-needed |
|
2020-08-21 00:14:55 |
OpenStack Infra |
tags |
in-stable-pike in-stable-ussuri patch security verification-queens-needed verification-rocky-needed verification-stein-needed verification-train-needed verification-ussuri-needed |
in-stable-pike in-stable-train in-stable-ussuri patch security verification-queens-needed verification-rocky-needed verification-stein-needed verification-train-needed verification-ussuri-needed |
|
2020-09-04 15:12:00 |
OpenStack Infra |
tags |
in-stable-pike in-stable-train in-stable-ussuri patch security verification-queens-needed verification-rocky-needed verification-stein-needed verification-train-needed verification-ussuri-needed |
in-stable-pike in-stable-stein in-stable-train in-stable-ussuri patch security verification-queens-needed verification-rocky-needed verification-stein-needed verification-train-needed verification-ussuri-needed |
|
2022-12-02 11:05:07 |
OpenStack Infra |
cinder/queens: status |
Fix Committed |
Fix Released |
|
2023-05-03 13:37:13 |
OpenStack Infra |
cinder/rocky: status |
Fix Committed |
Fix Released |
|