Unsafe Environment Handling in MuranoPL
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Murano |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
High
|
Jeremy Stanley | ||
YAQL |
Fix Released
|
Critical
|
Takashi Kajinami |
Bug Description
Members of the VMT received the following report by E-mail from "kirualawliet l":
Title: OpenStack Murano Component Information Leakage
Reporter: lawliet and Zhiniang Peng (@edwardzpeng) from Sangfor Security Research Team
Products: OpenStack Murano Component
Affects: All versions of Murano Component
Description:
The Sangfor Security Research Team has identified a critical security vulnerability in the Murano component of OpenStack. This vulnerability allows ordinary users capable of importing and deploying app packages to access sensitive information within OpenStack services. Specifically, through this exploit, unauthorized users can obtain Murano service account credentials, potentially escalating their privileges to an administrator level. Subsequently, unauthorized users can gain complete control over various resources, including user roles, hosts, and networks.
The vulnerability stems from the Murano service's reliance on MuranoPL, an extension of the YAQL language. The YAQL library includes a 'format' function that mirrors Python's 'str.format' method, enabling attribute access.
```python
# code snippet from yaql-2.
@specs.
@specs.
def format_
...
return __format_
```
An example of this vulnerability includes:
```
>>> secret_key = "abcd1234"
>>> class Test:
... def __init__(self):
... pass
...
>>> t = Test()
>>> # Exploiting the vulnerability to expose sensitive data:
>>> malicious_
>>> formatted_output = malicious_
>>> print(formatted
'abcd1234'
```
This exploit allows access to Murano service's oslo configuration storage, thereby exposing critical Murano service account credentials, granting unauthorized users administrative privileges.
We believe no deployment mode is immune to this vulnerability. To ensure system security, we recommend immediate attention and remediation of this vulnerability within the OpenStack Murano component. Our team stands ready to offer assistance and collaboration in addressing and resolving this issue promptly.
Thank you for your prompt attention to this matter.
Sincerely,
kirualawliet
Sangfor Security Research Team
CVE References
information type: | Private Security → Private |
information type: | Private → Private Security |
Changed in yaql: | |
importance: | Undecided → High |
Changed in yaql: | |
importance: | High → Critical |
description: | updated |
Please be aware that reports of suspected vulnerabilities in Murano's deliverables aren't officially overseen by the OpenStack VMT, and so won't be producing any public advisory, but we remain available to assist with coordination on a best effort basis at the Murano team's request. https:/ /security. openstack. org/repos- overseen. html#repositori es-overseen