oss-sec mailing list archives
[OpenStack OSSN 0080] Aodh can be used to launder Keystone trusts
From: Luke Hinds <lhinds () redhat com>
Date: Thu, 17 Aug 2017 12:00:29 +0100
Aodh can be used to launder Keystone trusts --- ### Summary ### When adding an alarm action with the scheme `trust+http:` Aodh does not verify that the user creating the alarm is the trustor or has the same rights as the trustor, nor that the trust is for the same project as the alarm. ### Affected Services / Software ### Aodh the alarm engine of the Telemetry project. Pike, Ocata and Newton ### Discussion ### When adding an alarm action with the scheme `trust+http:`, Aodh allows the user to provide a trust ID to acquire a token with which to make a webhook request. (If no trust ID is provided then Aodh creates a trust internally, in which case the issue is not present.) However, Aodh makes no attempt to verify that the user creating the alarm is the trustor or has the same rights as the trustor - it also does not attempt to check that the trust is for the same project as the alarm. The nature of the `trust+http:` alarm notifier is that it allows the user to obtain a token given the ID of a trust for which Aodh is the trustee, since the URL is arbitrary and not limited to services in the Keystone catalog. ### Recommended Actions ### A patchfile is attached to the launchpad bug referenced below. It will block use of trust URLs which contain trust ID's and log an error message of "trust URL cannot contain a trust ID.". Any trust action without a trust ID will result in Aodh internally creating a trust ID as before. You will also need to restart the web server used for Aodh API. This is typically apache. In cases of eventlet (in older versions) it will require restart openstack-aodh-api for centos/RHEL/Suse and aodh-api for ubuntu. The fix has also been merged to master (Pike), Ocata and Newton. ### Contacts / References ### Discoverer: Zane Bitter, Red Hat Author: Luke Hinds, Red Hat CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12440 This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0080 Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1649333 OpenStack Security Project : https://launchpad.net/~openstack-ossg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [OpenStack OSSN 0080] Aodh can be used to launder Keystone trusts Luke Hinds (Aug 17)