Bug 1203873 (CVE-2022-3100) - VUL-0: CVE-2022-3100: openstack-barbican: openstack-barbican: access policy bypass via query string injection
Summary: VUL-0: CVE-2022-3100: openstack-barbican: openstack-barbican: access policy b...
Status: RESOLVED FIXED
Alias: CVE-2022-3100
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/343773/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-3100:7.1:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-29 08:35 UTC by Thomas Leroy
Modified: 2024-04-19 14:25 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-09-29 08:35:12 UTC 
rh#2125404

Barbican is including the contents of the request query string in the target data that is used by oslo.policy to enforce policy.

Since oslo.policy uses this data to do string interpolation into the policy rules before enforcing the policy, it gives a malicious user the opportunity to craft query strings to manipulate the policy in arbitrary ways.

For example, a malicious user with a Keystone account is able to decrypt any secret as long as they know the secret's ID by using a specifically crafted query string:

    GET /v1/secrets/{secret-id}/payload?target.secret.read=read

Using this query string, the malicious user is able to fool Barbican into thinking that the user is in the ACL for the secret, which allows for secret decryption.  Since the query string is applied to the target data after the data is fetched from the database, the user-provided query string overrides any values stored in the DB.  In this case, overriding "target.secret.read" to "read", which should only be set when a user is added to the ACL.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2125404
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3100
Comment 1 Thomas Leroy 2022-09-29 08:35:50 UTC 
CVSS < 8.0, so wonftix for Cloud8 and Cloud9
Comment 3 Thomas Leroy 2022-09-29 08:38:01 UTC 
Not other codestream affected, closing
Comment 6 Thomas Leroy 2022-10-18 09:40:03 UTC 
Upstream fix:
https://github.com/openstack/barbican/commit/6112c302375bf3d4c27303d12beec52ce2a82a2b

Affected codestreams:
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
Comment 10 Fergal Mc Carthy 2022-11-16 20:17:19 UTC 
Have proposed fixes for this CVE to the relevant packages in build.opensuse.org:
 - Cloud:OpenStack:Rocky:Staging
   https://build.opensuse.org/request/show/1036289
 - Cloud:OpenStack:Pike
   https://build.opensuse.org/request/show/1036290

Once those submit requests are accepted in OBS we can pick them up in the corresponding Devel:Cloud:X:Staging projects in IBS, and they can be tested/validated by the standard gating jobs and, all going well, will be promoted to Devel:Cloud:X project (where X is 8 or 9) and included in a future SOC MUs...
Comment 11 Fergal Mc Carthy 2022-11-30 19:39:33 UTC 
The build.opensuse.org Cloud:OpenStack:Pike and Cloud:OpenStack:Rocky changes have landed, and have been propagated to the build.suse.de Devel:Cloud:8:Staging and Devel:Cloud:9:Staging repos.

Once we get passing gating runs for those staging repos the changes will get promoted to DC8 and DC9, and will be included in the next MU builds.
Comment 14 Swamp Workflow Management 2023-01-11 20:21:41 UTC 
SUSE-SU-2023:0071-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1203873
CVE References: CVE-2022-3100
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    openstack-barbican-5.0.2~dev3-3.17.2, openstack-barbican-doc-5.0.2~dev3-3.17.2
SUSE OpenStack Cloud 8 (src):    openstack-barbican-5.0.2~dev3-3.17.2, openstack-barbican-doc-5.0.2~dev3-3.17.2, venv-openstack-barbican-5.0.2~dev3-12.43.2
HPE Helion Openstack 8 (src):    openstack-barbican-5.0.2~dev3-3.17.2, openstack-barbican-doc-5.0.2~dev3-3.17.2, venv-openstack-barbican-5.0.2~dev3-12.43.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2023-01-11 20:22:19 UTC 
SUSE-SU-2023:0070-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1203873,1204326
CVE References: CVE-2022-3100,CVE-2022-33891
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    openstack-barbican-7.0.1~dev24-3.17.1, openstack-heat-gbp-14.0.1~dev5-3.12.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1, openstack-neutron-13.0.8~dev209-3.43.1, openstack-neutron-gbp-14.0.1~dev52-3.37.1, spark-2.2.3-5.12.1
SUSE OpenStack Cloud 9 (src):    openstack-barbican-7.0.1~dev24-3.17.1, openstack-heat-gbp-14.0.1~dev5-3.12.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1, openstack-neutron-13.0.8~dev209-3.43.1, openstack-neutron-gbp-14.0.1~dev52-3.37.1, spark-2.2.3-5.12.1, venv-openstack-barbican-7.0.1~dev24-3.37.1, venv-openstack-horizon-14.1.1~dev11-4.43.1, venv-openstack-neutron-13.0.8~dev209-6.43.1, venv-openstack-nova-18.3.1~dev92-3.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Robert Frohl 2024-04-19 14:25:24 UTC 
done