Mirantis OpenStack

[pre-OSSA] Vulnerability in OpenStack keystonemiddleware (CVE-2015-1852)

Series 5.0.x
Bug #1442579

Bug #1442579 reported by Alexander Makarov on 2015-04-10

258

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Fix Released	Critical	Alexander Makarov	Mirantis OpenStack 6.1
5.0.x	Fix Committed	Critical	Alexander Makarov	Mirantis OpenStack 5.0-updates
5.1.x	Fix Released	Critical	Alexander Nevenchannyy	Mirantis OpenStack 5.1.1-mu-1
6.0.x	Fix Released	Critical	Alexander Nevenchannyy	Mirantis OpenStack 6.0-mu-3
6.1.x	Fix Released	Critical	Alexander Makarov	Mirantis OpenStack 6.1
7.0.x	Fix Released	Critical	Alexander Makarov	Mirantis OpenStack 7.0

Bug Description

Brant Knudson from IBM reported a vulnerability in keystonemiddleware
(formerly shipped as python-keystoneclient). When the 'insecure' option
is set in a S3Token paste configuration file its value is effectively
ignored and instead assumed to be true. As a result certificate
verification will be disabled, leaving TLS connections open to MITM
attacks. Note that it's unusual to explicitly add this option and then
set it to false, so the impact of this bug is thought to be limited. All
versions of s3_token middleware with TLS settings configured are
affected by this flaw.

Tags:

CVE References

2015-1852

Dmitry Mescheryakov (dmitrymex) on 2015-04-10

information type:	Private Security → Private
information type:	Private → Private Security

Vitaly Sedelnik (vsedelnik) on 2015-05-13

information type:

Private Security → Public Security

Revision history for this message

Alexey Galkin (agalkin) wrote on 2015-05-25:

On verification in 6.1.x

tags:

added: on-verification

Revision history for this message

Alexey Galkin (agalkin) wrote on 2015-05-26:

Tested on iso #455.
Deployed env with: Juno on Ubuntu 14.04.1 (2014.2.2-6.1)
Keystone client(keystonemiddleware) with /usr/lib/python2.7/dist-packages/keystoneclient/middleware/s3_token.py [line 122] has been fixed, but the file /usr/lib/python2.7/dist-packages/keystonemiddleware/s3_token.py [line 118] remains unchanged. Are you sure that this is correct?
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/usr/lib/python2.7/dist-packages/keystonemiddleware/s3_token.py - > http://paste.openstack.org/show/236715/
/usr/lib/python2.7/dist-packages/keystoneclient/middleware/s3_token.py - > http://paste.openstack.org/show/236716/

Revision history for this message

Alexey Galkin (agalkin) wrote on 2015-05-26:

I'm sorry, confused files.

Keystone client(keystonemiddleware) with /usr/lib/python2.7/dist-packages/keystonemiddleware/s3_token.py [line 122] has been fixed, but the file /usr/lib/python2.7/dist-packages/keystoneclient/middleware/s3_token.py [line 118] remains unchanged.

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2015-05-29:

So, looks like this bug was not completely fixed, we need to investigate the issue with duplicated code without the fix and fix it again in MOS 6.1

Revision history for this message

Alexander Makarov (amakarov) wrote on 2015-05-29:

Specs are needed to merge changes for keystonemiddleware in MOS 6.x

Revision history for this message

Alexander Makarov (amakarov) wrote on 2015-05-29:

https://review.fuel-infra.org/gitweb?p=openstack-build%2Fkeystonemiddleware-build.git;a=shortlog;h=refs%2Fheads%2Fopenstack-ci%2Ffuel-6.1%2F2014.2

Revision history for this message

Dmitry Mescheryakov (dmitrymex) wrote on 2015-06-01:

After talking with Dmitry Burmistrov we decided that we will continue tracking keystonemiddleware in packages/* repo, not in openstack/* because otherwise we will have issues with wrong packages' version order.

Reassigning the bug back to Alexander as it is he who makes the patches.

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-13: Fix proposed to openstack/python-keystoneclient (openstack-ci/fuel-5.1.1-updates/2014.1.1)

Fix proposed to branch: openstack-ci/fuel-5.1.1-updates/2014.1.1
Change author: Alexandr Nevenchannyy <email address hidden>
Review: https://review.fuel-infra.org/9286

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-16: Fix merged to openstack/python-keystoneclient (openstack-ci/fuel-5.1.1-updates/2014.1.1)

Reviewed: https://review.fuel-infra.org/9286
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-5.1.1-updates/2014.1.1

Commit: 620f4d1fe8045fe1e142187268a4145024d45f3d
Author: Alexandr Nevenchannyy <email address hidden>
Date: Thu Jul 16 15:54:06 2015

Fix s3_token middleware parsing insecure option

Added function _bool_from_string from oslo.utils

Closes-Bug: #1449023

Change-Id: Ie994c05e781668fcf855d1fa481df0fd59421fd4
Closes-bug: #1442579
Closes-Bug: #1449023

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-16: Fix proposed to openstack/python-keystoneclient (openstack-ci/fuel-5.1-updates/2014.1.1)

#10

Fix proposed to branch: openstack-ci/fuel-5.1-updates/2014.1.1
Change author: Alexandr Nevenchannyy <email address hidden>
Review: https://review.fuel-infra.org/9441

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-23: Fix merged to openstack/python-keystoneclient (openstack-ci/fuel-5.1-updates/2014.1.1)

#11

Reviewed: https://review.fuel-infra.org/9441
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-5.1-updates/2014.1.1

Commit: da8749c64263fd5361a99d91e461daab155e9186
Author: Alexandr Nevenchannyy <email address hidden>
Date: Thu Jul 23 15:59:10 2015

Fix s3_token middleware parsing insecure option

Added function _bool_from_string from oslo.utils.

Closes-Bug: #1449023

Change-Id: Ie994c05e781668fcf855d1fa481df0fd59421fd4
Closes-bug: #1442579
Closes-Bug: #1449023
(cherry picked from commit 620f4d1fe8045fe1e142187268a4145024d45f3d)

Revision history for this message

Oleksiy Butenko (obutenko) wrote on 2015-09-04:

#12

verified on MOS 7.0 ISO 265
{"build_id": "265", "build_number": "265", "release_versions": {"2015.1.0-7.0": {"VERSION": {"build_id": "265", "build_number": "265", "api": "1.0", "fuel-library_sha": "4fdf3d6b070204366593012428395d173698678a", "nailgun_sha": "0dfcf73deb8ae99654f3da2ea95b7b68b9ee7273", "feature_groups": ["mirantis"], "fuel-nailgun-agent_sha": "d7027952870a35db8dc52f185bb1158cdd3d1ebd", "openstack_version": "2015.1.0-7.0", "fuel-agent_sha": "082a47bf014002e515001be05f99040437281a2d", "production": "docker", "python-fuelclient_sha": "9643fa07f1290071511066804f962f62fe27b512", "astute_sha": "e63709d16bd4c1949bef820ac336c9393c040d25", "fuel-ostf_sha": "582a81ccaa1e439a3aec4b8b8f6994735de840f4", "release": "7.0", "fuelmain_sha": "9ab01caf960013dc882825dc9b0e11ccf0b81cb0"}}}, "auth_required": true, "api": "1.0", "fuel-library_sha": "4fdf3d6b070204366593012428395d173698678a", "nailgun_sha": "0dfcf73deb8ae99654f3da2ea95b7b68b9ee7273", "feature_groups": ["mirantis"], "fuel-nailgun-agent_sha": "d7027952870a35db8dc52f185bb1158cdd3d1ebd", "openstack_version": "2015.1.0-7.0", "fuel-agent_sha": "082a47bf014002e515001be05f99040437281a2d", "production": "docker", "python-fuelclient_sha": "9643fa07f1290071511066804f962f62fe27b512", "astute_sha": "e63709d16bd4c1949bef820ac336c9393c040d25", "fuel-ostf_sha": "582a81ccaa1e439a3aec4b8b8f6994735de840f4", "release": "7.0", "fuelmain_sha": "9ab01caf960013dc882825dc9b0e11ccf0b81cb0"}

Adam Heczko (aheczko-mirantis) on 2016-06-21

tags:

added: feature-security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.