Mirantis OpenStack

[murano] YaqlYamlLoader inherits from YamlLoader

  1. Series 5.1.x
  2. Bug #1593002
Bug #1593002 reported by Kirill Zaitsev
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
Critical
Kirill Zaitsev
Mirantis OpenStack 9.0
5.1.x
In Progress
Critical
MOS Maintenance
Mirantis OpenStack 5.1.1-updates
6.0.x
In Progress
Critical
MOS Maintenance
Mirantis OpenStack 6.0-updates
6.1.x
Fix Released
Critical
MOS Maintenance
Mirantis OpenStack 6.1-mu-7
7.0.x
Fix Released
Critical
MOS Maintenance
Mirantis OpenStack 7.0-mu-5
8.0.x
Fix Released
Critical
MOS Maintenance
Mirantis OpenStack 8.0-mu-2
9.x
Fix Released
Critical
Kirill Zaitsev
Mirantis OpenStack 9.0

Bug Description

YaqlYamlLoader inherits from YamlLoader, meaning that it is possible to use extended unsafe tags in yaml files http://pyyaml.org/wiki/PyYAMLDocumentation#YAMLtagsandPythontypes

dashboard, engine/api, and client are vulnerable.

CVE Description:
Kirill Zaitsev from Mirantis reported a vulnerability in OpenStack Murano applications processing. Using extended YAML tags in Murano application YAML files, an attacker can perform a Remote Code Execution attack.

See original description

CVE References

Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :

Setting to In Progress for 6.1-updates, 7.0-updates, 8.0-updates, the link to reviews is https://review.fuel-infra.org/#/q/topic:bug/1593002

Revision history for this message
Dina Belova (dbelova) wrote :

This is a really simple security vulnerability with remote code execution against the cloud controller node. I agree this can be treated as a critical issue. Let's fix it asap.

Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

Agree, please merge fix before MOS 9.0 GA release.

Revision history for this message
Dina Belova (dbelova) wrote :

ETA: today, patches are +2/+2/A, should be merged in hours.

Revision history for this message
Victor Ryzhenkin (vryzhenkin) wrote :

Fix for 9.0 included since 494 mos iso build.

Adam Heczko (aheczko-mirantis)
tags: added: feature-security
Vitaly Sedelnik (vsedelnik)
information type: Private Security → Public Security
Revision history for this message
TatyanaGladysheva (tgladysheva) wrote :

Fix for 7.0 is included in MU5 updates.

Vladimir Jigulin (vjigulin)
information type: Public Security → Private Security
information type: Private Security → Public Security
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/murano (mcp/newton)

Fix proposed to branch: mcp/newton
Change author: Kirill Zaitsev <email address hidden>
Review: https://review.fuel-infra.org/33574

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/python-muranoclient (mcp/newton)

Fix proposed to branch: mcp/newton
Change author: Kirill Zaitsev <email address hidden>
Review: https://review.fuel-infra.org/33707

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/python-muranoclient (11.0/ocata)

Fix proposed to branch: 11.0/ocata
Change author: Kirill Zaitsev <email address hidden>
Review: https://review.fuel-infra.org/34028

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/murano (11.0/ocata)

Fix proposed to branch: 11.0/ocata
Change author: Kirill Zaitsev <email address hidden>
Review: https://review.fuel-infra.org/34033

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/murano-dashboard (11.0/ocata)

Fix proposed to branch: 11.0/ocata
Change author: Kirill Zaitsev <email address hidden>
Review: https://review.fuel-infra.org/34051

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/python-muranoclient (mcp/ocata)

Fix proposed to branch: mcp/ocata
Change author: Kirill Zaitsev <email address hidden>
Review: https://review.fuel-infra.org/34655

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/murano (mcp/ocata)

Fix proposed to branch: mcp/ocata
Change author: Kirill Zaitsev <email address hidden>
Review: https://review.fuel-infra.org/34752

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/murano-dashboard (mcp/ocata)

Fix proposed to branch: mcp/ocata
Change author: Kirill Zaitsev <email address hidden>
Review: https://review.fuel-infra.org/34764

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/murano-dashboard (11.0/ocata)

Change abandoned by Ihor Kalnytskyi <email address hidden> on branch: 11.0/ocata
Review: https://review.fuel-infra.org/34051
Reason: 11.0/ocata is obsolete. We use mcp/ocata instead.

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/python-muranoclient (11.0/ocata)

Change abandoned by Roman Podoliaka <email address hidden> on branch: 11.0/ocata
Review: https://review.fuel-infra.org/34028
Reason: we do not need 11.0/ocata anymore - use mcp/ocata instead

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/murano (11.0/ocata)

Change abandoned by Roman Podoliaka <email address hidden> on branch: 11.0/ocata
Review: https://review.fuel-infra.org/34033
Reason: we do not need 11.0/ocata anymore - use mcp/ocata instead

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/murano (mcp/ocata)

Change abandoned by Ihor Kalnytskyi <email address hidden> on branch: mcp/ocata
Review: https://review.fuel-infra.org/34752
Reason: The patch has been upstreamed and exists in mcp/ocata.

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/murano-dashboard (mcp/ocata)

Change abandoned by Ihor Kalnytskyi <email address hidden> on branch: mcp/ocata
Review: https://review.fuel-infra.org/34764
Reason: The patch has been upstreamed and is not required for mcp/ocata.

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/python-muranoclient (mcp/ocata)

Change abandoned by Ihor Kalnytskyi <email address hidden> on branch: mcp/ocata
Review: https://review.fuel-infra.org/34655
Reason: The patch has been upstreamed and is not required in mcp/ocata.

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/murano (mcp/newton)

Change abandoned by Ihor Kalnytskyi <email address hidden> on branch: mcp/newton
Review: https://review.fuel-infra.org/33574
Reason: The patch has been upstreamed and is not required for mcp/newton.

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/murano-dashboard (mcp/newton)

Change abandoned by Ihor Kalnytskyi <email address hidden> on branch: mcp/newton
Review: https://review.fuel-infra.org/33487
Reason: The patch has been upstreamed and is not required for mcp/newton.

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/python-muranoclient (mcp/newton)

Change abandoned by Ihor Kalnytskyi <email address hidden> on branch: mcp/newton
Review: https://review.fuel-infra.org/33707
Reason: The patch has been upstreamed and is not required for mcp/newton.

Jeremy Stanley (fungi)
description: updated
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.