298b337a16
The server fault "message" is always shown in the API server response, regardless of policy or user role. The fault "details" are only shown to users with the admin role when the fault code is 500. The problem with this is for non-nova exceptions, the fault message is a string-ified version of the exception (see nova.compute.utils.exception_to_dict) which can contain sensitive information which the non-admin owner of the server can see. This change adds a functional test to recreate the issue and a change to exception_to_dict which for the non-nova case changes the fault message by simply storing the exception type class name. Admins can still see the fault traceback in the "details" key of the fault dict in the server API response. Note that _get_fault_details is changed so that the details also includes the exception value which is what used to be in the fault message for non-nova exceptions. This is necessary so admins can still get the exception message with the traceback details. Note that nova exceptions with a %(reason)s replacement variable could potentially be leaking sensitive details as well but those would need to be cleaned up on a case-by-case basis since we don't want to change the behavior of all fault messages otherwise users might not see information like NoValidHost when their server goes to ERROR status during scheduling. SecurityImpact: This change contains a fix for CVE-2019-14433. Change-Id: I5e0a43ec59341c9ac62f89105ddf82c4a014df81 Closes-Bug: #1837877
24 lines
1.1 KiB
YAML
24 lines
1.1 KiB
YAML
---
|
|
security:
|
|
- |
|
|
`OSSA-2019-003`_: Nova Server Resource Faults Leak External Exception
|
|
Details (CVE-2019-14433)
|
|
|
|
This release contains a security fix for `bug 1837877`_ where users
|
|
without the admin role can be exposed to sensitive error details in
|
|
the server resource fault ``message``.
|
|
|
|
There is a behavior change where non-nova exceptions will only record
|
|
the exception class name in the fault ``message`` field which is exposed
|
|
to all users, regardless of the admin role.
|
|
|
|
The fault ``details``, which are only exposed to users with the admin role,
|
|
will continue to include the traceback and also include the exception
|
|
value which for non-nova exceptions is what used to be exposed in the
|
|
fault ``message`` field. Meaning, the information that admins could see
|
|
for server faults is still available, but the exception value may be in
|
|
``details`` rather than ``message`` now.
|
|
|
|
.. _OSSA-2019-003: https://security.openstack.org/ossa/OSSA-2019-003.html
|
|
.. _bug 1837877: https://bugs.launchpad.net/nova/+bug/1837877
|