Details

    • Benefit:
      Medium
    • Security:
      Yes
    • SLA:
      Not Applicable
    • Rank:
      1|hzxr0n:
    • Damage Potential:
      9

      Description

      Walrus does not check authorization for the GetBucketLoggingStatus, SetBucketLoggingStatus and SetBucketVersioningStatus operations.

      Walrus authenticates the user but does not verify that the user is permitted to perform the operation on the bucket.

      I've only verified the SetBucketVersioningStatus issue, the others are from code review so may be incorrect (see WalrusManager)

        Gliffy Diagrams

        1.
        Obtain CVE Sub-task Closed Unassigned
         
        2.
        Create ESA Sub-task Closed Unassigned
         

          Activity

          Hide
          zhill Zach Hill added a comment -

          The correct behavior is that only the owner of the bucket should be able to set these properties.

          Show
          zhill Zach Hill added a comment - The correct behavior is that only the owner of the bucket should be able to set these properties.
          Hide
          zhill Zach Hill added a comment -

          This should also be a strong candidate for 3.2.1. It is not a difficult fix or difficult to test. The fix is to add the permissions checks in 3-4 methods and test by verifying that non-bucket-owners cannot perform them but the bucket-owner can.

          Show
          zhill Zach Hill added a comment - This should also be a strong candidate for 3.2.1. It is not a difficult fix or difficult to test. The fix is to add the permissions checks in 3-4 methods and test by verifying that non-bucket-owners cannot perform them but the bucket-owner can.
          Hide
          neil Neil Soman added a comment -

          Committed to team/storage/EUCA-3074. To Vika for review.

          Show
          neil Neil Soman added a comment - Committed to team/storage/ EUCA-3074 . To Vika for review.
          Hide
          viglesias Victor Iglesias added a comment -

          Vika Felmetsger will you be testing this fix?

          Show
          viglesias Victor Iglesias added a comment - Vika Felmetsger will you be testing this fix?
          Hide
          rusvika Vika Felmetsger added a comment -

          Victor Iglesias yes, I'm in the middle of it. I'll let you know if I need any help from QA, but most likely not as the fix is very localized.

          Show
          rusvika Vika Felmetsger added a comment - Victor Iglesias yes, I'm in the middle of it. I'll let you know if I need any help from QA, but most likely not as the fix is very localized.
          Hide
          awithrow Aaron Withrow added a comment -

          3.2.2 has been released, moving this to Resolved.

          Show
          awithrow Aaron Withrow added a comment - 3.2.2 has been released, moving this to Resolved.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development