openstack/security-doc
Code Issues Proposed changes
3860bbff9a
security-doc/security-notes/OSSN-0063
Luke Hinds 1bf55f1eb0 Added Authors to Security Notes 
All OSSN authors, added under the "Author:" metadata field

Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a
Closes-Bug: #1599064
2016-07-11 10:51:07 +00:00

56 lines
2.4 KiB
Plaintext
Raw Blame History

Nova and Cinder key manager for Barbican misuses cached credentials
---
### Summary ###
During the Icehouse release the Cinder and Nova projects added a feature
that supports storage volume encryption using keys stored in Barbican.
The Barbican key manager, that is part of Nova and Cinder, had a bug
that could cause an authorized user to lose access to an encryption key
or allow the wrong user to gain access to an encryption key.
### Affected Services / Software ###
Cinder: Icehouse, Juno, Kilo, Liberty
Nova: Juno, Kilo, Liberty
### Discussion ###
The Barbican key manager is a feature that is part of Nova and Cinder to
allow those projects to create and retrieve keys in Barbican. The key
manager includes a cache function that allows for a copy_key() operation
to work while only validating the token once with Keystone.
This cache function had a bug such that the cached token was used for
operations where it was no longer valid. The symptoms of this error
vary, but include a user not being able to access their key or the wrong
user being able to access a key.
An affected user would see an error similar to this in their cinder log:
---- begin cinder.log sample snippet ----
2015-12-03 09:09:03.648 TRACE cinder.volume.api Unauthorized: The
request you have made requires authentication. (Disable debug mode to
suppress these details.) (HTTP 401) (Request-ID:
req-d2c52e0b-c16d-43ec-a7a0-7611113f1270)
---- end cinder.log sample snippet ----
### Recommended Actions ###
Users wishing to use the Barbican key manager to provided keys for
volume encryption with Nova and Cinder should ensure they are using a
patched version.
A specification for a fix has been merged for the Mitaka release of both
Nova and Cinder. Additionally these patches have been backported to
stable/kilo and stable/liberty.
### Contacts / References ###
Author: Dave McCowan, Cisco
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0063
Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1523646
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Nova patch for Mitaka : https://review.openstack.org/254358/
Nova patch for stable/liberty: https://review.openstack.org/288490
Cinder patch for Mitaka : https://review.openstack.org/254357/
Cinder patch for stable/liberty: https://review.openstack.org/266678
Cinder patch for stable/kilo: https://review.openstack.org/266680
CVE : N/A
View Git Blame Copy Permalink