Bug 1059463 - (CVE-2017-9799) VUL-0: CVE-2017-9799: storm: It was found that under some situations and configurations of Apache Storm 1.xbefore 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the ownerof a topology to trick the supervisor to launch a wo
(CVE-2017-9799)
VUL-0: CVE-2017-9799: storm: It was found that under some situations and conf...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Normal
: ---
Assigned To: Rick Salevsky
Security Team bot
https://smash.suse.de/issue/190155/
CVSSv3:NVD:CVE-2017-9799:8.8:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-20 08:11 UTC by Marcus Meissner
Modified: 2019-01-23 07:45 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-09-20 08:11:14 UTC
CVE-2017-9799

It was found that under some situations and configurations of Apache Storm 1.x
before 1.0.4 and 1.1.x before 1.1.1, it is theoretically possible for the owner
of a topology to trick the supervisor to launch a worker as a different,
non-root, user. In the worst case this could lead to secure credentials of the
other user being compromised.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9799
http://seclists.org/oss-sec/2017/q3/272
http://www.cvedetails.com/cve/CVE-2017-9799/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9799
https://lists.apache.org/thread.html/b9125bf507ed6f2ca6e85ba1a4b44e232aa70eeddfba2a9d8a954127@%3Cdev.storm.apache.org%3E
http://www.securityfocus.com/bid/100235
http://www.securitytracker.com/id/1039116
Comment 1 Johannes Grassler 2017-09-21 12:07:47 UTC
Package updated to 1.0.5. These are the requests for...

...OBS development project:

https://build.opensuse.org/request/show/528028
https://build.opensuse.org/request/show/528029

...Cloud:OpenStack:Master:

https://build.opensuse.org/request/show/528040
https://build.opensuse.org/request/show/528039

...Cloud:OpenStack:Ocata:

https://build.opensuse.org/request/show/528041
https://build.opensuse.org/request/show/528042

...Cloud:OpenStack:Newton (OpenStack release Cloud 7 is based on):

https://build.opensuse.org/request/show/528043
https://build.opensuse.org/request/show/528044
Comment 2 Johannes Grassler 2017-09-21 12:11:01 UTC
Caveat: the packages build fine, but I haven't tested 1.0.5 against Monasca, yet (currently spinning up a test cloud for this).
Comment 3 Johannes Grassler 2017-09-21 15:37:23 UTC
Updated requests for Cloud:OpenStack:* (these have the missing BuildIgnore line):

Cloud:OpenStack:Master:

https://build.opensuse.org/request/show/528101
https://build.opensuse.org/request/show/528102

Cloud:OpenStack:Ocata:

https://build.opensuse.org/request/show/528103
https://build.opensuse.org/request/show/528104

Cloud:OpenStack:Newton:

https://build.opensuse.org/request/show/528105
https://build.opensuse.org/request/show/528106
Comment 6 Dirk Mueller 2017-10-12 07:51:31 UTC
The issue is fixed in the devel projects and in OBS. Rick, could you please schedule, submit and coordinate the maintenance update?
Comment 8 Johannes Grassler 2017-10-17 12:23:12 UTC
https://build.suse.de/request/show/143863 got rejected due to upstream change log entries missing from storm.changes. The following requests fix that issue in OBS and Devel:Cloud:{7,8}:Staging in IBS:

https://build.opensuse.org/request/show/534421
https://build.opensuse.org/request/show/534423
https://build.opensuse.org/request/show/534424
https://build.opensuse.org/request/show/534425
https://build.opensuse.org/request/show/534426
Comment 10 Swamp Workflow Management 2017-11-13 14:07:31 UTC
SUSE-SU-2017:3000-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1048688,1059463
CVE References: CVE-2017-9799
Sources used:
SUSE OpenStack Cloud 7 (src):    storm-1.0.5-5.3
Comment 11 Rick Salevsky 2017-11-14 12:03:40 UTC
@Marcus: The update got released can we close this bug?
Comment 12 Marcus Meissner 2017-11-14 12:07:48 UTC
if you submitted everything, reassign to security-team.

I think we are done.