Uploaded image for project: 'Eucalyptus'
  1. Eucalyptus
  2. EUCA-3112

Internal requests to Walrus can be modified to manipulate data stored on Walrus

    Details

    • Benefit:
      High
    • Security:
      Yes
    • SLA:
      Not Applicable
    • Epic Link:
    • Sprint:
      3.2 Sprint 1, 3.3 Sprint 1
    • Scoping Version:
    • Rank:
      0|i00taf:
    • Damage Potential:
      54

      Description

      Walrus supports an internal REST API that is used by Eucalyptus components to access data stored on Walrus. Due to the lack of signing of some supported headers, an internal request to Walrus can be modified by a malicious party and used to manipulate (in a limited way) stored data, such as snapshots.

      To exploit this issue, an attacker needs to intercept (or to have an access to) a valid (signed) internal request to Walrus.

        Gliffy Diagrams

          Lucidchart Diagrams

            Attachments

              Issue links

                Activity

                  People

                  • Assignee:
                    zhill Zach Hill
                    Reporter:
                    rusvika Vika Felmetsger
                    Reviewer:
                    Vika Felmetsger
                    QA Contact:
                    Vika Felmetsger
                    Support Contact:
                    Vika Felmetsger
                    Participants:
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    4 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: