Comment 15 for bug 1861485

Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote : Re: User knowing the id of a share network can show, delete, create share on a share network owned by different tenant

Hi Jeremy, all,

After an discussion with those involved, we concluded to follow the VMT guidelines for this one for two reasons:

# The seriousness of the issue and possible attack vectors:
 * attackers being able to view share network details
 * attackers creating shares and share groups on share networks
    (clobbering namespace of a different tenant causing denial of
    service - manila does not provide any way for attackers to
    connect to these resources and utilize them in a meaningful
    way to create other kinds of damage)
 * attackers being able to manipulate share networks - create or
    delete share network subnets, update share network metadata and
    delete share networks

# the Manila team has expressed interest to submit an application
   for the "vulnerability-managed" tag and I will begin working on the
   process. Handling this bug through the full VMT process allows us to
   gather experience to deal with future issues.

I have submitted a request for a CVE to be assigned for this bug. The next steps are as follows:

- Embargoed Disclosure [3] (Timeline: 3-5 business days): I will begin this as soon as
   I hear back from MITRE.
- Disclosure: propose mnaser's patch upstream to master and all open
   stable branches, fast track approvals
- Send an OSSA to the Openstack-discuss ML

Thanks for your inputs. Please let me know if you have any further comments regarding this.