855333 – (CVE-2013-6426) VUL-0: CVE-2013-6426: openstack-heat: CFN policy rules not all enforced

Bug 855333 (CVE-2013-6426) - VUL-0: CVE-2013-6426: openstack-heat: CFN policy rules not all enforced

Summary: VUL-0: CVE-2013-6426: openstack-heat: CFN policy rules not all enforced

Status:	RESOLVED FIXED

Alias:	CVE-2013-6426

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2014-04-22
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:56958:moderate maint:re...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-12-13 10:33 UTC by Alexander Bergmann
Modified:	2014-09-25 11:17 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2013-12-13 10:33:52 UTC

OpenStack Security Advisory: 2013-034
CVE: CVE-2013-6426
Public via oss-security:

Date: December 11, 2013
Title: Heat CFN policy rules not all enforced
Reporter: Steven Hardy (Red Hat)
Products: Heat
Affects: All supported releases

Description:
Steven Hardy from Red Hat reported a vulnerability in Heat's default
API policy enforcement. By calling the CreateStack or UpdateStack
methods, an in-instance user may be able to create or update a stack
in violation of the default policy. Only setups using Heat's
cloudformation-compatible API are affected.

Icehouse (development branch) fix:
https://review.openstack.org/61452

Havana fix:
https://review.openstack.org/61454

Notes:
This fix will be included in the icehouse-2 development milestone
and in a future 2013.2.1 release.


References:
http://comments.gmane.org/gmane.comp.security.oss.general/11676
http://comments.gmane.org/gmane.comp.security.oss.general/11677
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6426
https://bugzilla.redhat.com/show_bug.cgi?id=1039141
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6426
https://launchpad.net/bugs/1256049

Comment 1 Swamp Workflow Management 2013-12-13 23:00:26 UTC

bugbot adjusting priority

Comment 2 Vincent Untz 2014-01-08 14:05:47 UTC

Grizzly patch: https://bugs.launchpad.net/heat/+bug/1256049/+attachment/3919821/+files/Grizzly3_0001-Fix-missing-policy-enforcement-in-CFN-API.patch

Comment 4 Swamp Workflow Management 2014-04-08 15:24:17 UTC

The SWAMPID for this issue is 56958.
This issue was rated as moderate.
Please submit fixed packages until 2014-04-22.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 6 Swamp Workflow Management 2014-09-25 00:07:38 UTC

SUSE-RU-2014:1215-1: An update that has three recommended fixes can now be installed.

Category: recommended (low)
Bug References: 855331,855333,882866
CVE References: 
Sources used:
SUSE Cloud 3 (src):    openstack-ceilometer-2013.2.4.dev5.ga2c909c-0.9.2, openstack-ceilometer-doc-2013.2.4.dev5.ga2c909c-0.9.2, openstack-cinder-2013.2.4.dev2.g81259f3-0.9.2, openstack-cinder-doc-2013.2.4.dev2.g81259f3-0.9.7, openstack-glance-2013.2.4.dev3.g396ca82-0.9.2, openstack-glance-doc-2013.2.4.dev3.g396ca82-0.9.7, openstack-heat-2013.2.4.dev3.g6f91215-0.11.1, openstack-heat-cfntools-1.2.7.5.g9bd9604-0.9.2, openstack-nova-2013.2.4.dev18.g0bf0bb4-0.9.2, openstack-nova-doc-2013.2.4.dev18.g0bf0bb4-0.9.7

Comment 7 Marcus Meissner 2014-09-25 11:17:48 UTC

considering fixed