After an discussion with those involved, we concluded to follow the VMT guidelines for this one for two reasons:
# The seriousness of the issue and possible attack vectors:
* attackers being able to view share network details
* attackers creating shares and share groups on share networks
(clobbering namespace of a different tenant causing denial of
service - manila does not provide any way for attackers to
connect to these resources and utilize them in a meaningful
way to create other kinds of damage)
* attackers being able to manipulate share networks - create or
delete share network subnets, update share network metadata and
delete share networks
# the Manila team has expressed interest to submit an application
for the "vulnerability-managed" tag and I will begin working on the
process. Handling this bug through the full VMT process allows us to
gather experience to deal with future issues.
I have submitted a request for a CVE to be assigned for this bug. The next steps are as follows:
- Embargoed Disclosure [3] (Timeline: 3-5 business days): I will begin this as soon as
I hear back from MITRE.
- Disclosure: propose mnaser's patch upstream to master and all open
stable branches, fast track approvals
- Send an OSSA to the Openstack-discuss ML
Thanks for your inputs. Please let me know if you have any further comments regarding this.
Hi Jeremy, all,
After an discussion with those involved, we concluded to follow the VMT guidelines for this one for two reasons:
# The seriousness of the issue and possible attack vectors:
* attackers being able to view share network details
* attackers creating shares and share groups on share networks
(clobbering namespace of a different tenant causing denial of
service - manila does not provide any way for attackers to
connect to these resources and utilize them in a meaningful
way to create other kinds of damage)
* attackers being able to manipulate share networks - create or
delete share network subnets, update share network metadata and
delete share networks
# the Manila team has expressed interest to submit an application managed" tag and I will begin working on the
for the "vulnerability-
process. Handling this bug through the full VMT process allows us to
gather experience to deal with future issues.
I have submitted a request for a CVE to be assigned for this bug. The next steps are as follows:
- Embargoed Disclosure [3] (Timeline: 3-5 business days): I will begin this as soon as
I hear back from MITRE.
- Disclosure: propose mnaser's patch upstream to master and all open
stable branches, fast track approvals
- Send an OSSA to the Openstack-discuss ML
Thanks for your inputs. Please let me know if you have any further comments regarding this.