Jump to: navigation, search

Difference between revisions of "OSSN/OSSN-0093"

(indicate the linked bug is still private at this time)
(Contacts / References: add assigned cve)
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Unresolved Vulnerability in Murano ==
+
== Unsafe Environment Handling in MuranoPL  ==
  
 
=== Summary ===
 
=== Summary ===
  
A severe security vulnerability in all versions of the Murano service will be disclosed on Thursday, March 14, 2024. There is currently no fix under development for this, so it is strongly recommended that any deployments with Murano functionality accessible to untrusted users disable or fully remove it before that date. This security note will be amended at the time of public disclosure to include further details and context, but action should be taken prior to that time in order to minimize the risk it poses.
+
The Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information. Murano is an inactive project, so no fix is currently under development for this vulnerability. It is strongly recommended that any OpenStack deployments disable or fully remove Murano, if installed, at the earliest opportunity.
  
 
=== Affected Services / Software ===  
 
=== Affected Services / Software ===  
  
Murano
+
Murano (all versions)
  
 
=== Discussion ===  
 
=== Discussion ===  
  
This security note is a redacted placeholder, and will be amended on Thursday, March 14, 2024 with complete details.
+
The YAQL interpreter project has released a new major version (3.0.0) which removes support for format strings, a feature necessary to exploit this condition in MuranoPL. Because Murano is not considered under active maintenance in OpenStack, its complete removal from all deployments is still strongly advised.
 +
 
 +
Note that this behavior change in YAQL means configurations relying on string formatting will no longer be interpreted the same after upgrading, which could cause them to not work as intended by their users in services which accept YAQL (including Heat and Mistral). Reliance on that feature is considered to be unusual, but users should be made aware in case it negatively impacts their configuration.
  
 
===  Recommended Actions ===  
 
===  Recommended Actions ===  
  
 
Disable the Murano service in, or fully remove it from, all OpenStack deployments at the earliest opportunity.
 
Disable the Murano service in, or fully remove it from, all OpenStack deployments at the earliest opportunity.
 +
 +
=== Credits ===
 +
kirualawliet and Zhiniang Peng (@edwardzpeng) from Sangfor Security Research Team
  
 
===  Contacts / References ===  
 
===  Contacts / References ===  
Line 21: Line 26:
 
'''Author:'''
 
'''Author:'''
 
* Jeremy Stanley, OpenStack Vulnerability Coordinator
 
* Jeremy Stanley, OpenStack Vulnerability Coordinator
 +
  
 
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0093
 
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0093
  
Original LaunchPad Bug : https://launchpad.net/bugs/2048114 (not yet public)
+
Original LaunchPad Bug : https://launchpad.net/bugs/2048114
  
 
Mailing List : [security-sig] openstack-discuss@lists.openstack.org
 
Mailing List : [security-sig] openstack-discuss@lists.openstack.org
 +
 +
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29156

Latest revision as of 14:18, 18 March 2024

Unsafe Environment Handling in MuranoPL

Summary

The Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information. Murano is an inactive project, so no fix is currently under development for this vulnerability. It is strongly recommended that any OpenStack deployments disable or fully remove Murano, if installed, at the earliest opportunity.

Affected Services / Software

Murano (all versions)

Discussion

The YAQL interpreter project has released a new major version (3.0.0) which removes support for format strings, a feature necessary to exploit this condition in MuranoPL. Because Murano is not considered under active maintenance in OpenStack, its complete removal from all deployments is still strongly advised.

Note that this behavior change in YAQL means configurations relying on string formatting will no longer be interpreted the same after upgrading, which could cause them to not work as intended by their users in services which accept YAQL (including Heat and Mistral). Reliance on that feature is considered to be unusual, but users should be made aware in case it negatively impacts their configuration.

Recommended Actions

Disable the Murano service in, or fully remove it from, all OpenStack deployments at the earliest opportunity.

Credits

kirualawliet and Zhiniang Peng (@edwardzpeng) from Sangfor Security Research Team

Contacts / References

Author:

  • Jeremy Stanley, OpenStack Vulnerability Coordinator


This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0093

Original LaunchPad Bug : https://launchpad.net/bugs/2048114

Mailing List : [security-sig] openstack-discuss@lists.openstack.org

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29156

Retrieved from "https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0093&oldid=184540"