Comment 15 for bug 1861485
Revision history for this message
| Goutham Pacha Ravi (gouthamr) wrote Re: User knowing the id of a share network can show, delete, create share on a share network owned by different tenant | #15 |
Hi Jeremy, all,
After an discussion with those involved, we concluded to follow the VMT guidelines for this one for two reasons:
# The seriousness of the issue and possible attack vectors:
* attackers being able to view share network details
* attackers creating shares and share groups on share networks
(clobbering namespace of a different tenant causing denial of
service - manila does not provide any way for attackers to
connect to these resources and utilize them in a meaningful
way to create other kinds of damage)
* attackers being able to manipulate share networks - create or
delete share network subnets, update share network metadata and
delete share networks
# the Manila team has expressed interest to submit an application
for the "vulnerability-
process. Handling this bug through the full VMT process allows us to
gather experience to deal with future issues.
I have submitted a request for a CVE to be assigned for this bug. The next steps are as follows:
- Embargoed Disclosure [3] (Timeline: 3-5 business days): I will begin this as soon as
I hear back from MITRE.
- Disclosure: propose mnaser's patch upstream to master and all open
stable branches, fast track approvals
- Send an OSSA to the Openstack-discuss ML
Thanks for your inputs. Please let me know if you have any further comments regarding this.