Bug 998182 - (CVE-2016-7404) VUL-0: CVE-2016-7404: openstack-magnum: Magnum created instances have full API access to creating user's OpenStack account
(CVE-2016-7404)
VUL-0: CVE-2016-7404: openstack-magnum: Magnum created instances have full A...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://trello.com/c/q0y5EQDH
CVSSv3:RedHat:CVE-2016-7404:6.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-09 15:07 UTC by Johannes Grassler
Modified: 2017-07-07 10:03 UTC (History)
7 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Draft 5 of patch (WIP) (31.93 KB, patch)
2016-10-04 08:40 UTC, Johannes Grassler
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Swamp Workflow Management 2016-09-10 22:00:14 UTC
bugbot adjusting priority
Comment 5 Marcus Meissner 2016-09-15 08:37:27 UTC
Mitre has assigned CVE-2016-7404.
Comment 6 Johannes Grassler 2016-09-15 14:43:59 UTC
There appears to be a bit of a problem with upstream responsibility for security bugs in Magnum. I asked several core developers, including Hongbin Lu (Magnum's PTL) whether they can access the bug and it 404s for all of them. The reason is because Magnum doesn't appear to be well integrated into the vulnerability management process, i.e. it's not listed on this page and doesn't have a designated vulnerability liason:

https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management

That being said, I went with the spirit of the process (default to a project's PTL if nobody is named explicitely) and added Hongbin as a subscriber on the upstream bug. He's currently looking at it.
Comment 32 Marcus Meissner 2017-04-10 13:32:56 UTC
https://github.com/openstack/magnum/tree/master/etc/magnum now has it
Comment 35 Marcus Meissner 2017-05-10 15:24:24 UTC
public
Comment 36 Marcus Meissner 2017-05-10 15:26:08 UTC
https://git.openstack.org/cgit/openstack/magnum/commit/?id=0bb0d6486d6771ee21bbf897a091b1aa59e01b22

Fix CVE-2016-7404
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:

* Permissions for /etc/sysconfig/heat-params inside Magnum
  created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
  for a Keystone trust.
* The cluster's Keystone trust id is only passed into
  instances for clusters where that is actually needed. This
  prevents the trustee user from consuming the trust in cases
  where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
  default) is introduced. It needs to be explicitely enabled
  by the cloud operator to allow clusters that need the
  trust_id to be passed into instances to work. Without this
  setting, attempts to create such clusters will fail.

Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.

(cherry picked from commit e93d82e8b3bc19211efd54edc17aebdca50670c1)

Changes for backport:

* Moved cluster_user_trust setting to magnum/common/keystone.py
* Resolved merge conflicts.
* Fixed unit tests with configuration overrides.

Change-Id: I408d845ee4fd00d5bcd1e90f0a78f2bba3f2a57a
Comment 37 Swamp Workflow Management 2017-05-10 16:11:46 UTC
SUSE-SU-2017:1233-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 998182
CVE References: CVE-2016-7404
Sources used:
SUSE OpenStack Cloud 7 (src):    openstack-magnum-3.1.2~a0~dev20-9.4, openstack-magnum-doc-3.1.2~a0~dev20-9.3