Details

    • Benefit:
      High
    • Security:
      Yes
    • SLA:
      Not Applicable
    • Epic Link:
    • Sprint:
      3.2 Sprint 1, 3.3 Sprint 1
    • Scoping Version:
    • Rank:
      2|hzxhbr:
    • Damage Potential:
      54

      Description

      Walrus supports an internal REST API that is used by Eucalyptus components to access data stored on Walrus. Due to the lack of signing of some supported headers, an internal request to Walrus can be modified by a malicious party and used to manipulate (in a limited way) stored data, such as snapshots.

      To exploit this issue, an attacker needs to intercept (or to have an access to) a valid (signed) internal request to Walrus.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            zhill Zach Hill added a comment -

            The fix for this has been ready in my dev branch for some time. Just waiting for the next maintenance release to include it. Committing will require a rebase and additional testing before the merge. This fix is a significant amount of code (>1000 lines).

            I am updating status to not in progress since I am not working on this currently, but the fix is ready to go pending the rebase and final tests.

            Show
            zhill Zach Hill added a comment - The fix for this has been ready in my dev branch for some time. Just waiting for the next maintenance release to include it. Committing will require a rebase and additional testing before the merge. This fix is a significant amount of code (>1000 lines). I am updating status to not in progress since I am not working on this currently, but the fix is ready to go pending the rebase and final tests.
            Hide
            zhill Zach Hill added a comment -

            Vika, you can find the code in branch: security/zhill/EUCA-3112

            The changed code is in the WalrusAuthenticationHandler.java, HttpWriter.java, HttpReader.java, HttpTransfer.java, as well as the storage/walrus.h storage/walrus.c (and probably others that I'm forgetting right now)

            Show
            zhill Zach Hill added a comment - Vika, you can find the code in branch: security/zhill/ EUCA-3112 The changed code is in the WalrusAuthenticationHandler.java, HttpWriter.java, HttpReader.java, HttpTransfer.java, as well as the storage/walrus.h storage/walrus.c (and probably others that I'm forgetting right now)
            Hide
            zhill Zach Hill added a comment -

            This should be a high-priority candidate for 3.2.1. The fix is done but needs to be updated to 3.2 code since it was written on 3.1 code. It is a significant amount of code and will require a thorough regression test to ensure that all functionality is maintained. This fix has been waiting for a couple of months for a release to go into. Due to its size it will cause significant merge conflicts so I would like to minimize that by putting it in as soon as possible. The fix is >1000 lines of code.

            Show
            zhill Zach Hill added a comment - This should be a high-priority candidate for 3.2.1. The fix is done but needs to be updated to 3.2 code since it was written on 3.1 code. It is a significant amount of code and will require a thorough regression test to ensure that all functionality is maintained. This fix has been waiting for a couple of months for a release to go into. Due to its size it will cause significant merge conflicts so I would like to minimize that by putting it in as soon as possible. The fix is >1000 lines of code.
            Hide
            rusvika Vika Felmetsger added a comment -

            I have reviewed the fix and it fixes the vulnerability. Zach still has some work to do, but the fix is mostly ready. It's also worth mentioning that this fix is not compatible with current euca2ools. Garrett has the necessary changes ready in his branch on github.

            Show
            rusvika Vika Felmetsger added a comment - I have reviewed the fix and it fixes the vulnerability. Zach still has some work to do, but the fix is mostly ready. It's also worth mentioning that this fix is not compatible with current euca2ools. Garrett has the necessary changes ready in his branch on github.
            Hide
            rusvika Vika Felmetsger added a comment -

            As a note, we also need to make sure that the new authentication scheme is implemented and works with VMwareBroker.

            Show
            rusvika Vika Felmetsger added a comment - As a note, we also need to make sure that the new authentication scheme is implemented and works with VMwareBroker.
            Hide
            zhill Zach Hill added a comment -

            A few changes needed as well as a bug fix for the windows bundle instance. I will move it into 'in progress' state.

            Show
            zhill Zach Hill added a comment - A few changes needed as well as a bug fix for the windows bundle instance. I will move it into 'in progress' state.
            Hide
            zhill Zach Hill added a comment -

            Committed to maint/3.2/security

            Show
            zhill Zach Hill added a comment - Committed to maint/3.2/security
            Hide
            zhill Zach Hill added a comment -

            this is ready for QA testing.

            Show
            zhill Zach Hill added a comment - this is ready for QA testing.
            Hide
            rusvika Vika Felmetsger added a comment -

            Reopening the issue to make it public.

            Show
            rusvika Vika Felmetsger added a comment - Reopening the issue to make it public.

              People

              • Assignee:
                zhill Zach Hill
                Reporter:
                rusvika Vika Felmetsger
                Reviewer:
                Vika Felmetsger
                QA Contact:
                Vika Felmetsger
                Support Contact:
                Vika Felmetsger
                Participants:
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development

                    Agile