Eucalyptus
  1. Eucalyptus
  2. EUCA-3074

Walrus does not check authorization for some operations

    Details

    • Benefit:
      Medium
    • Security:
      Yes
    • SLA:
      Not Applicable
    • Rank:
      2650
    • Damage Potential:
      9

      Description

      Walrus does not check authorization for the GetBucketLoggingStatus, SetBucketLoggingStatus and SetBucketVersioningStatus operations.

      Walrus authenticates the user but does not verify that the user is permitted to perform the operation on the bucket.

      I've only verified the SetBucketVersioningStatus issue, the others are from code review so may be incorrect (see WalrusManager)

      1.
      Obtain CVE Sub-task Resolved Unassigned
       
      2.
      Create ESA Sub-task Resolved Unassigned
       

        Activity

        Hide
        Zach Hill added a comment -

        The correct behavior is that only the owner of the bucket should be able to set these properties.

        Show
        Zach Hill added a comment - The correct behavior is that only the owner of the bucket should be able to set these properties.
        Hide
        Zach Hill added a comment -

        This should also be a strong candidate for 3.2.1. It is not a difficult fix or difficult to test. The fix is to add the permissions checks in 3-4 methods and test by verifying that non-bucket-owners cannot perform them but the bucket-owner can.

        Show
        Zach Hill added a comment - This should also be a strong candidate for 3.2.1. It is not a difficult fix or difficult to test. The fix is to add the permissions checks in 3-4 methods and test by verifying that non-bucket-owners cannot perform them but the bucket-owner can.
        Hide
        Neil Soman added a comment -

        Committed to team/storage/EUCA-3074. To Vika for review.

        Show
        Neil Soman added a comment - Committed to team/storage/ EUCA-3074 . To Vika for review.
        Hide
        Victor Iglesias added a comment -

        Vika Felmetsger will you be testing this fix?

        Show
        Victor Iglesias added a comment - Vika Felmetsger will you be testing this fix?
        Hide
        Vika Felmetsger added a comment -

        Victor Iglesias yes, I'm in the middle of it. I'll let you know if I need any help from QA, but most likely not as the fix is very localized.

        Show
        Vika Felmetsger added a comment - Victor Iglesias yes, I'm in the middle of it. I'll let you know if I need any help from QA, but most likely not as the fix is very localized.
        Hide
        Aaron Withrow added a comment -

        3.2.2 has been released, moving this to Resolved.

        Show
        Aaron Withrow added a comment - 3.2.2 has been released, moving this to Resolved.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development