Bugzilla – Bug 984871
VUL-0: CVE-2016-4972: openstack-murano: RCE vulnerability in Openstack Murano using insecure YAML tags
Last modified: 2016-06-24 13:54:58 UTC
EMBARGOED CRD: 2016-06-23 15:00 UTC This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: RCE vulnerability in Openstack Murano using insecure YAML tags Reporter: Kirill Zaitsev Product: murano Affects: <=2015.1.1; <=1.0.2; ==2.0.0 Product: murano-dashboard Affects: <=2015.1.1; <=1.0.2; ==2.0.0 Product: python-muranoclient Affects: <=0.7.2; >=0.8.0<=0.8.4 Description: Kirill Zaitsev from Mirantis reported a vulnerability in OpenStack Murano applications processing. Using extended YAML tags in Murano application YAML files, an attacker can perform a Remote Code Execution attack. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to master, stable/mitaka, and stable/liberty branches on the public disclosure date. CVE: CVE-2016-4972 Proposed public disclosure date/time: 2016-06-23 (Thursday), 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Regards, -- Kirill Zaitsev Murano PTL
i do not find murano in the IBS, so i guess we are not shipping it. (if we do, I could also attach the patches.)
(In reply to Marcus Meissner from comment #1) > i do not find murano in the IBS, so i guess we are not shipping it. > > (if we do, I could also attach the patches.) Correct, we do not ship this. We do not even package it in OBS, afaik.