Heat denial of service through template-validate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
High
|
Sergey Kraynev | ||
5.0.x |
Won't Fix
|
High
|
MOS Maintenance | ||
5.1.x |
Fix Committed
|
High
|
Sergii Rizvan | ||
6.0.x |
Fix Released
|
High
|
Sergii Rizvan | ||
6.1.x |
Fix Released
|
High
|
Sergii Rizvan | ||
7.0.x |
Fix Released
|
High
|
Sergii Rizvan | ||
8.0.x |
Fix Released
|
High
|
Sergey Kraynev |
Bug Description
in service.py validate_template, we do an env.get_class bypassing
the global_
template_
allowed schemas to "('file',)"
https:/
https:/
The net result of this is that any call to template-validate which
specifies type: foo.yaml will read that file from the filesystem of the
heat service - this actually means template-validate calls which should
fail work on typical devstack env's where the client and heat-engine are
co-located (it took me a while to work out why!!)
I've not figured out any way for this to be exploitable, but it definitely
seems wrong that we allow user-provided paths to be read like this,
and there could be some risk if folks could work out a way to make
validation blow up with a stack-trace containing any file contents.
Link on original bug: https:/
CVE References
Changed in mos: | |
assignee: | nobody → Oleksii Chuprykov (ochuprykov) |
no longer affects: | mos/9.0.x |
information type: | Private → Private Security |
description: | updated |
description: | updated |
tags: | added: on-verification |
information type: | Private Security → Public Security |
tags: | removed: on-verification |
tags: | added: on-verification |
tags: | added: on-verification |
description: | updated |
Patch for MOS 8.0 was merged https:/ /review. fuel-infra. org/#/c/ 16092/