Bug 1203873 - (CVE-2022-3100) VUL-0: CVE-2022-3100: openstack-barbican: openstack-barbican: access policy bypass via query string injection
(CVE-2022-3100)
VUL-0: CVE-2022-3100: openstack-barbican: openstack-barbican: access policy b...
Status: REOPENED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Cloud Bugs
Security Team bot
https://smash.suse.de/issue/343773/
CVSSv3.1:SUSE:CVE-2022-3100:7.1:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-29 08:35 UTC by Thomas Leroy
Modified: 2023-01-11 20:22 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-09-29 08:35:12 UTC
rh#2125404

Barbican is including the contents of the request query string in the target data that is used by oslo.policy to enforce policy.

Since oslo.policy uses this data to do string interpolation into the policy rules before enforcing the policy, it gives a malicious user the opportunity to craft query strings to manipulate the policy in arbitrary ways.

For example, a malicious user with a Keystone account is able to decrypt any secret as long as they know the secret's ID by using a specifically crafted query string:

    GET /v1/secrets/{secret-id}/payload?target.secret.read=read

Using this query string, the malicious user is able to fool Barbican into thinking that the user is in the ACL for the secret, which allows for secret decryption.  Since the query string is applied to the target data after the data is fetched from the database, the user-provided query string overrides any values stored in the DB.  In this case, overriding "target.secret.read" to "read", which should only be set when a user is added to the ACL.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2125404
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3100
Comment 1 Thomas Leroy 2022-09-29 08:35:50 UTC
CVSS < 8.0, so wonftix for Cloud8 and Cloud9
Comment 3 Thomas Leroy 2022-09-29 08:38:01 UTC
Not other codestream affected, closing
Comment 6 Thomas Leroy 2022-10-18 09:40:03 UTC
Upstream fix:
https://github.com/openstack/barbican/commit/6112c302375bf3d4c27303d12beec52ce2a82a2b

Affected codestreams:
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
Comment 10 Fergal Mc Carthy 2022-11-16 20:17:19 UTC
Have proposed fixes for this CVE to the relevant packages in build.opensuse.org:
 - Cloud:OpenStack:Rocky:Staging
   https://build.opensuse.org/request/show/1036289
 - Cloud:OpenStack:Pike
   https://build.opensuse.org/request/show/1036290

Once those submit requests are accepted in OBS we can pick them up in the corresponding Devel:Cloud:X:Staging projects in IBS, and they can be tested/validated by the standard gating jobs and, all going well, will be promoted to Devel:Cloud:X project (where X is 8 or 9) and included in a future SOC MUs...
Comment 11 Fergal Mc Carthy 2022-11-30 19:39:33 UTC
The build.opensuse.org Cloud:OpenStack:Pike and Cloud:OpenStack:Rocky changes have landed, and have been propagated to the build.suse.de Devel:Cloud:8:Staging and Devel:Cloud:9:Staging repos.

Once we get passing gating runs for those staging repos the changes will get promoted to DC8 and DC9, and will be included in the next MU builds.
Comment 14 Swamp Workflow Management 2023-01-11 20:21:41 UTC
SUSE-SU-2023:0071-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1203873
CVE References: CVE-2022-3100
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    openstack-barbican-5.0.2~dev3-3.17.2, openstack-barbican-doc-5.0.2~dev3-3.17.2
SUSE OpenStack Cloud 8 (src):    openstack-barbican-5.0.2~dev3-3.17.2, openstack-barbican-doc-5.0.2~dev3-3.17.2, venv-openstack-barbican-5.0.2~dev3-12.43.2
HPE Helion Openstack 8 (src):    openstack-barbican-5.0.2~dev3-3.17.2, openstack-barbican-doc-5.0.2~dev3-3.17.2, venv-openstack-barbican-5.0.2~dev3-12.43.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2023-01-11 20:22:19 UTC
SUSE-SU-2023:0070-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1203873,1204326
CVE References: CVE-2022-3100,CVE-2022-33891
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    openstack-barbican-7.0.1~dev24-3.17.1, openstack-heat-gbp-14.0.1~dev5-3.12.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1, openstack-neutron-13.0.8~dev209-3.43.1, openstack-neutron-gbp-14.0.1~dev52-3.37.1, spark-2.2.3-5.12.1
SUSE OpenStack Cloud 9 (src):    openstack-barbican-7.0.1~dev24-3.17.1, openstack-heat-gbp-14.0.1~dev5-3.12.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1, openstack-neutron-13.0.8~dev209-3.43.1, openstack-neutron-gbp-14.0.1~dev52-3.37.1, spark-2.2.3-5.12.1, venv-openstack-barbican-7.0.1~dev24-3.37.1, venv-openstack-horizon-14.1.1~dev11-4.43.1, venv-openstack-neutron-13.0.8~dev209-6.43.1, venv-openstack-nova-18.3.1~dev92-3.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.