Uploaded image for project: 'Eucalyptus'
  1. Eucalyptus
  2. EUCA-3112

Internal requests to Walrus can be modified to manipulate data stored on Walrus

    Details

    • Benefit:
      High
    • Security:
      Yes
    • SLA:
      Not Applicable
    • Epic Link:
    • Sprint:
      3.2 Sprint 1, 3.3 Sprint 1
    • Scoping Version:
    • Rank:
      0|i00taf:
    • Damage Potential:
      54

      Description

      Walrus supports an internal REST API that is used by Eucalyptus components to access data stored on Walrus. Due to the lack of signing of some supported headers, an internal request to Walrus can be modified by a malicious party and used to manipulate (in a limited way) stored data, such as snapshots.

      To exploit this issue, an attacker needs to intercept (or to have an access to) a valid (signed) internal request to Walrus.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

              Hide
              rusvika Vika Felmetsger added a comment -

              As a note, we also need to make sure that the new authentication scheme is implemented and works with VMwareBroker.

              Show
              rusvika Vika Felmetsger added a comment - As a note, we also need to make sure that the new authentication scheme is implemented and works with VMwareBroker.
              Hide
              zhill Zach Hill added a comment -

              A few changes needed as well as a bug fix for the windows bundle instance. I will move it into 'in progress' state.

              Show
              zhill Zach Hill added a comment - A few changes needed as well as a bug fix for the windows bundle instance. I will move it into 'in progress' state.
              Hide
              zhill Zach Hill added a comment -

              Committed to maint/3.2/security

              Show
              zhill Zach Hill added a comment - Committed to maint/3.2/security
              Hide
              zhill Zach Hill added a comment -

              this is ready for QA testing.

              Show
              zhill Zach Hill added a comment - this is ready for QA testing.
              Hide
              rusvika Vika Felmetsger added a comment -

              Reopening the issue to make it public.

              Show
              rusvika Vika Felmetsger added a comment - Reopening the issue to make it public.

                People

                • Assignee:
                  zhill Zach Hill
                  Reporter:
                  rusvika Vika Felmetsger
                  Reviewer:
                  Vika Felmetsger
                  QA Contact:
                  Vika Felmetsger
                  Support Contact:
                  Vika Felmetsger
                  Participants:
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: