From 1971945fcc7fb9e3a48b1d494da7a1b50581edef Mon Sep 17 00:00:00 2001 From: Vincenzo Di Somma Date: Thu, 10 Nov 2016 10:34:02 +0100 Subject: [PATCH] Adding Security Note OSSN-0077 Closes-Bug #1562175 Change-Id: I0f0d2cec9948377c7fc8754a87345d7c4ec4f67c --- security-notes/OSSN-0077 | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 security-notes/OSSN-0077 diff --git a/security-notes/OSSN-0077 b/security-notes/OSSN-0077 new file mode 100644 index 00000000..ea1de172 --- /dev/null +++ b/security-notes/OSSN-0077 @@ -0,0 +1,32 @@ +Pre-auth COPY in versioned_writes can result in a successful COPY that +wouldn't have been authorized +--- + +### Summary ### +This issue is related to the versioning feature of swift and potentially +allows unauthorized users to drive up the storage usage of a third party +account. + +Specifically a user can create versions of existing objects belonging to +projects for which he has no authorization. The malicious user cannot +read or write the specific object, or create objects with arbitrary content. + +### Affected Services / Software ### +Swift < 2.10.0 + +### Discussion ### +A versioned write PUT uses a pre-authed request to move an object into +the versioned container before checking whether the user is authorized. +So a user can select a versioned object path that it does not have access to, +request a put on that versioned object, and the request will execute the copy +part before it fails due to lack of permissions. + +### Recommended Actions ### +Update Swift to version 2.10.0 where possible. + +### Contacts / References ### +Author: Vincenzo Di Somma +This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0077 +Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1562175 +Mailing List : [Security] tag on openstack-dev@lists.openstack.org +OpenStack Security Group : https://launchpad.net/~openstack-ossg