Adding Security Note OSSN-0077
Closes-Bug #1562175 Change-Id: I0f0d2cec9948377c7fc8754a87345d7c4ec4f67c
This commit is contained in:
parent
065c36f543
commit
1971945fcc
32
security-notes/OSSN-0077
Normal file
32
security-notes/OSSN-0077
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
Pre-auth COPY in versioned_writes can result in a successful COPY that
|
||||||
|
wouldn't have been authorized
|
||||||
|
---
|
||||||
|
|
||||||
|
### Summary ###
|
||||||
|
This issue is related to the versioning feature of swift and potentially
|
||||||
|
allows unauthorized users to drive up the storage usage of a third party
|
||||||
|
account.
|
||||||
|
|
||||||
|
Specifically a user can create versions of existing objects belonging to
|
||||||
|
projects for which he has no authorization. The malicious user cannot
|
||||||
|
read or write the specific object, or create objects with arbitrary content.
|
||||||
|
|
||||||
|
### Affected Services / Software ###
|
||||||
|
Swift < 2.10.0
|
||||||
|
|
||||||
|
### Discussion ###
|
||||||
|
A versioned write PUT uses a pre-authed request to move an object into
|
||||||
|
the versioned container before checking whether the user is authorized.
|
||||||
|
So a user can select a versioned object path that it does not have access to,
|
||||||
|
request a put on that versioned object, and the request will execute the copy
|
||||||
|
part before it fails due to lack of permissions.
|
||||||
|
|
||||||
|
### Recommended Actions ###
|
||||||
|
Update Swift to version 2.10.0 where possible.
|
||||||
|
|
||||||
|
### Contacts / References ###
|
||||||
|
Author: Vincenzo Di Somma
|
||||||
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0077
|
||||||
|
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1562175
|
||||||
|
Mailing List : [Security] tag on openstack-dev@lists.openstack.org
|
||||||
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
Loading…
Reference in New Issue
Block a user