Add OSSN-0063
Add OSSN-0063 which discuss a bug in the Barbican key manager that is part of Nova and Cinder. This bug has been patched to affected versions that are still supported. Closes-Bug: #1523646 Change-Id: I649c0d817d96d0dc89367d69c73483b45d8e626f
This commit is contained in:
Dave McCowan
committed by
Darren Chan
Darren Chan
parent
c86f87bf88
commit
f7df1f4041
53
security-notes/OSSN-0063
Normal file
53
security-notes/OSSN-0063
Normal file
@@ -0,0 +1,53 @@
|
|||||||
|
Nova and Cinder key manager for Barbican misuses cached credentials
|
||||||
|
---
|
||||||
|
|
||||||
|
### Summary ###
|
||||||
|
During the Icehouse release the Cinder and Nova projects added a
|
||||||
|
feature that supports storage volume encryption using keys stored in
|
||||||
|
Barbican. The Barbican key manager, that is part of Nova and
|
||||||
|
Cinder, had a bug that could cause an authorized user to lose access to an
|
||||||
|
encryption key or allow the wrong user to gain access to an encryption key.
|
||||||
|
|
||||||
|
### Affected Services / Software ###
|
||||||
|
Cinder: Icehouse, Juno, Kilo, Liberty
|
||||||
|
Nova: Juno, Kilo, Liberty
|
||||||
|
|
||||||
|
### Discussion ###
|
||||||
|
The Barbican key manager is a feature that is part of Nova and Cinder to
|
||||||
|
allow those projects to create and retrieve keys in Barbican. The key
|
||||||
|
manager includes a cache function that allows for a copy_key() operation
|
||||||
|
to work while only validating the token once with Keystone.
|
||||||
|
|
||||||
|
This cache function had a bug such that the cached token was used for
|
||||||
|
operations where it was no longer valid. The symptoms of this error vary, but
|
||||||
|
include a user not being able to access their key or the wrong user being
|
||||||
|
able to access a key.
|
||||||
|
|
||||||
|
An affected user would see an error similar to this in their cinder log.
|
||||||
|
|
||||||
|
---- begin cinder.log sample snippet ----
|
||||||
|
2015-12-03 09:09:03.648 TRACE cinder.volume.api Unauthorized: The request you
|
||||||
|
have made requires authentication. (Disable debug mode to suppress these
|
||||||
|
details.) (HTTP 401) (Request-ID: req-d2c52e0b-c16d-43ec-a7a0-7611113f1270)
|
||||||
|
---- end cinder.log sample snippet ----
|
||||||
|
|
||||||
|
### Recommended Actions ###
|
||||||
|
Users wishing to use the Barbican key manager to provided keys for volume
|
||||||
|
encryption with Nova and Cinder should ensure they are using a patched
|
||||||
|
version.
|
||||||
|
|
||||||
|
A specification for a fix has been merged for the Mitaka
|
||||||
|
release of both Nova and Cinder. Additionally these patches have been
|
||||||
|
backported to stable/kilo and stable/liberty.
|
||||||
|
|
||||||
|
### Contacts / References ###
|
||||||
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0063
|
||||||
|
Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1523646
|
||||||
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
||||||
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
||||||
|
Nova patch for Mitaka : https://review.openstack.org/254358/
|
||||||
|
Nova patch for stable/liberty: https://review.openstack.org/288490
|
||||||
|
Cinder patch for Mitaka : https://review.openstack.org/254357/
|
||||||
|
Cinder patch for stable/liberty: https://review.openstack.org/266678
|
||||||
|
Cinder patch for stable/kilo: https://review.openstack.org/266680
|
||||||
|
CVE : N/A
|
||||||
Reference in New Issue
Block a user