Improper handling of ScaleIO backend credentials
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
High
|
Sean McGinnis | ||
Queens |
Fix Released
|
High
|
Ivan Pchelintsev | ||
Rocky |
Fix Released
|
High
|
Ivan Pchelintsev | ||
Stein |
Fix Committed
|
High
|
Ivan Pchelintsev | ||
Train |
Fix Committed
|
High
|
Ivan Pchelintsev | ||
Ussuri |
Fix Committed
|
High
|
Ivan Pchelintsev | ||
Victoria |
Fix Released
|
High
|
Sean McGinnis | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Guide Documentation |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
In Progress
|
Undecided
|
Brian Rosmaita | ||
Ubuntu Cloud Archive |
Fix Released
|
High
|
Unassigned | ||
Queens |
Fix Released
|
High
|
Unassigned | ||
Rocky |
Fix Released
|
High
|
Unassigned | ||
Stein |
Fix Released
|
High
|
Unassigned | ||
Train |
Fix Released
|
High
|
Unassigned | ||
Ussuri |
Fix Released
|
High
|
Unassigned | ||
Victoria |
Fix Released
|
High
|
Unassigned | ||
os-brick |
Fix Released
|
High
|
Ivan Pchelintsev | ||
cinder (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
Eoan |
Won't Fix
|
High
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned | ||
Groovy |
Fix Released
|
High
|
Unassigned | ||
python-os-brick (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
Eoan |
Won't Fix
|
High
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned | ||
Groovy |
Fix Released
|
High
|
Unassigned |
Bug Description
The ScaleIO driver uses the backend storage login and password for authentication for connections to the volume as well as the management API.
This has a few serious implications:
a) A user can create a volume, retrieve the username/password from that volume, and use it to connect to a different tenant's volume. Most drivers create per-volume credentials.
b) A user can create a volume, retrieve the username/password from that volume, and use it to connect to the ScaleIO management API and presumably do lots of things they shouldn't be allowed to. Most drivers create credentials for volumes that are independent of the management credentials.
c) If the password is changed on the backend ScaleIO volumes that are currently being used stop working, because Nova stores the old password in its block_device_
Parts of these issues are separately being looked at in bug 1736773, (which generally advises that in some clouds, only Nova should be able to see connection info, not end users) but the situation there is worse for the ScaleIO driver because most drivers only put usernames/passwords in connection_info that are usable for a single volume, not for the storage backend itself.
CVE References
Changed in cinder: | |
assignee: | nobody → Ivan Pchelintsev (pcheli) |
description: | updated |
Changed in cinder: | |
importance: | Undecided → High |
Changed in cinder: | |
status: | New → In Progress |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in ossn: | |
assignee: | nobody → Brian Rosmaita (brian-rosmaita) |
Changed in os-brick: | |
assignee: | nobody → Ivan Pchelintsev (pcheli) |
importance: | Undecided → High |
milestone: | none → 3.1.0 |
status: | New → In Progress |
Changed in ossn: | |
status: | New → In Progress |
description: | updated |
information type: | Private Security → Public |
tags: | added: security |
Changed in os-brick: | |
status: | In Progress → Fix Released |
Changed in ossp-security-documentation: | |
status: | In Progress → Fix Released |
Changed in cinder: | |
assignee: | Ivan Pchelintsev (pcheli) → Sean McGinnis (sean-mcginnis) |
Changed in cinder: | |
status: | In Progress → Fix Released |
Changed in python-os-brick (Ubuntu Groovy): | |
importance: | Undecided → High |
status: | New → Triaged |
tags: | added: patch |
Changed in python-os-brick (Ubuntu Focal): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in python-os-brick (Ubuntu Eoan): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in python-os-brick (Ubuntu Bionic): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in python-os-brick (Ubuntu Groovy): | |
status: | Triaged → Fix Released |
Changed in cinder (Ubuntu Groovy): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in cinder (Ubuntu Focal): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in cinder (Ubuntu Eoan): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in cinder (Ubuntu Bionic): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in cinder (Ubuntu Groovy): | |
status: | Triaged → Fix Released |
Changed in cloud-archive: | |
status: | Triaged → Fix Committed |
Changed in cloud-archive: | |
status: | Fix Committed → Fix Released |
tags: | added: verification-train-needed |
tags: | added: verification-stein-needed |
tags: | added: verification-rocky-needed |
Changed in python-os-brick (Ubuntu Focal): | |
status: | Triaged → Fix Released |
Changed in python-os-brick (Ubuntu Bionic): | |
status: | Triaged → Fix Released |
Changed in cinder (Ubuntu Focal): | |
status: | Triaged → Fix Released |
Changed in cinder (Ubuntu Bionic): | |
status: | Triaged → Fix Released |
tags: | added: verification-ussuri-needed |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.