[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109533#comment-16109533 ] ASF subversion and git services commented on CLOUDSTACK-9705: - Commit 75c81d918a359e25be3928ef42feb36614467a88 in cloudstack's branch refs/heads/4.10 from [~anshulg] [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=75c81d9 ] CLOUDSTACK-9705: Unauthenticated API allows Admin password reset Now, Updating the password via UpdateUser API is not allowed via integration port (cherry picked from commit d206336e1a89d45162c95228ce3486b31d476504) Signed-off-by: Rohit Yadav> Unauthenticated API allows Admin password reset > --- > > Key: CLOUDSTACK-9705 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Anshul Gangwar >Assignee: Anshul Gangwar > > The "unauthenticated API" allows a caller to reset CloudStack administrator > passwords. This presents a security risk becaues it allows for privilege > escallation attacks. First, if the unauthenticated API is listening on the > network (instead of locally) then any user on the network can reset admin > passwords. If, the API is only listening locally, then any user with access > to the local box can resset admin passwords. This would allow them to access > other hosts within the cloudstack deployment. > While it may be important to provide a recovery mechanism for admin passwords > that have been lost or hyjacked, such a solution needs to be secure. We > should either remove this feature from the Unauthenticated API, or provide a > solution that is less open to abuse. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109488#comment-16109488 ] ASF subversion and git services commented on CLOUDSTACK-9705: - Commit 75c81d918a359e25be3928ef42feb36614467a88 in cloudstack's branch refs/heads/4.9 from [~anshulg] [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=75c81d9 ] CLOUDSTACK-9705: Unauthenticated API allows Admin password reset Now, Updating the password via UpdateUser API is not allowed via integration port (cherry picked from commit d206336e1a89d45162c95228ce3486b31d476504) Signed-off-by: Rohit Yadav> Unauthenticated API allows Admin password reset > --- > > Key: CLOUDSTACK-9705 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Anshul Gangwar >Assignee: Anshul Gangwar > > The "unauthenticated API" allows a caller to reset CloudStack administrator > passwords. This presents a security risk becaues it allows for privilege > escallation attacks. First, if the unauthenticated API is listening on the > network (instead of locally) then any user on the network can reset admin > passwords. If, the API is only listening locally, then any user with access > to the local box can resset admin passwords. This would allow them to access > other hosts within the cloudstack deployment. > While it may be important to provide a recovery mechanism for admin passwords > that have been lost or hyjacked, such a solution needs to be secure. We > should either remove this feature from the Unauthenticated API, or provide a > solution that is less open to abuse. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16038607#comment-16038607 ] ASF subversion and git services commented on CLOUDSTACK-9705: - Commit d206336e1a89d45162c95228ce3486b31d476504 in cloudstack's branch refs/heads/master from [~anshulg] [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=d206336 ] CLOUDSTACK-9705: Unauthenticated API allows Admin password reset Now, Updating the password via UpdateUser API is not allowed via integration port > Unauthenticated API allows Admin password reset > --- > > Key: CLOUDSTACK-9705 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Anshul Gangwar >Assignee: Anshul Gangwar > > The "unauthenticated API" allows a caller to reset CloudStack administrator > passwords. This presents a security risk becaues it allows for privilege > escallation attacks. First, if the unauthenticated API is listening on the > network (instead of locally) then any user on the network can reset admin > passwords. If, the API is only listening locally, then any user with access > to the local box can resset admin passwords. This would allow them to access > other hosts within the cloudstack deployment. > While it may be important to provide a recovery mechanism for admin passwords > that have been lost or hyjacked, such a solution needs to be secure. We > should either remove this feature from the Unauthenticated API, or provide a > solution that is less open to abuse. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15894958#comment-15894958 ] ASF GitHub Bot commented on CLOUDSTACK-9705: Github user ramkatru commented on the issue: https://github.com/apache/cloudstack/pull/1865 tag:mergeready > Unauthenticated API allows Admin password reset > --- > > Key: CLOUDSTACK-9705 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Anshul Gangwar >Assignee: Anshul Gangwar > > The "unauthenticated API" allows a caller to reset CloudStack administrator > passwords. This presents a security risk becaues it allows for privilege > escallation attacks. First, if the unauthenticated API is listening on the > network (instead of locally) then any user on the network can reset admin > passwords. If, the API is only listening locally, then any user with access > to the local box can resset admin passwords. This would allow them to access > other hosts within the cloudstack deployment. > While it may be important to provide a recovery mechanism for admin passwords > that have been lost or hyjacked, such a solution needs to be secure. We > should either remove this feature from the Unauthenticated API, or provide a > solution that is less open to abuse. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15891981#comment-15891981 ] ASF GitHub Bot commented on CLOUDSTACK-9705: Github user koushik-das commented on the issue: https://github.com/apache/cloudstack/pull/1865 Code changes LGTM > Unauthenticated API allows Admin password reset > --- > > Key: CLOUDSTACK-9705 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Anshul Gangwar >Assignee: Anshul Gangwar > > The "unauthenticated API" allows a caller to reset CloudStack administrator > passwords. This presents a security risk becaues it allows for privilege > escallation attacks. First, if the unauthenticated API is listening on the > network (instead of locally) then any user on the network can reset admin > passwords. If, the API is only listening locally, then any user with access > to the local box can resset admin passwords. This would allow them to access > other hosts within the cloudstack deployment. > While it may be important to provide a recovery mechanism for admin passwords > that have been lost or hyjacked, such a solution needs to be secure. We > should either remove this feature from the Unauthenticated API, or provide a > solution that is less open to abuse. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15891965#comment-15891965 ] ASF GitHub Bot commented on CLOUDSTACK-9705: Github user anshul1886 commented on the issue: https://github.com/apache/cloudstack/pull/1865 @koushik-das, This method is there so that it only gets called when the call is made through 8096 port. Other parameters processing is done at common place. > Unauthenticated API allows Admin password reset > --- > > Key: CLOUDSTACK-9705 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Anshul Gangwar >Assignee: Anshul Gangwar > > The "unauthenticated API" allows a caller to reset CloudStack administrator > passwords. This presents a security risk becaues it allows for privilege > escallation attacks. First, if the unauthenticated API is listening on the > network (instead of locally) then any user on the network can reset admin > passwords. If, the API is only listening locally, then any user with access > to the local box can resset admin passwords. This would allow them to access > other hosts within the cloudstack deployment. > While it may be important to provide a recovery mechanism for admin passwords > that have been lost or hyjacked, such a solution needs to be secure. We > should either remove this feature from the Unauthenticated API, or provide a > solution that is less open to abuse. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15891837#comment-15891837 ] ASF GitHub Bot commented on CLOUDSTACK-9705: Github user koushik-das commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1865#discussion_r103875741 --- Diff: server/src/com/cloud/api/ApiServer.java --- @@ -430,8 +433,27 @@ public void handle(final HttpRequest request, final HttpResponse response, final if (!(responseType.equals(HttpUtils.RESPONSE_TYPE_JSON) || responseType.equals(HttpUtils.RESPONSE_TYPE_XML))) { responseType = HttpUtils.RESPONSE_TYPE_XML; } - try { +//verify that parameter is legit for passing via admin port --- End diff -- Check if it makes sense to move this as a separate helper method. There are also other places in code that reads the annotation on the API commands and parameters. Check if some of them can be reused. > Unauthenticated API allows Admin password reset > --- > > Key: CLOUDSTACK-9705 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Anshul Gangwar >Assignee: Anshul Gangwar > > The "unauthenticated API" allows a caller to reset CloudStack administrator > passwords. This presents a security risk becaues it allows for privilege > escallation attacks. First, if the unauthenticated API is listening on the > network (instead of locally) then any user on the network can reset admin > passwords. If, the API is only listening locally, then any user with access > to the local box can resset admin passwords. This would allow them to access > other hosts within the cloudstack deployment. > While it may be important to provide a recovery mechanism for admin passwords > that have been lost or hyjacked, such a solution needs to be secure. We > should either remove this feature from the Unauthenticated API, or provide a > solution that is less open to abuse. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15891832#comment-15891832 ] ASF GitHub Bot commented on CLOUDSTACK-9705: Github user koushik-das commented on the issue: https://github.com/apache/cloudstack/pull/1865 @anshul1886 @karuturi Should this be treated as a security issue and fixed on priority? > Unauthenticated API allows Admin password reset > --- > > Key: CLOUDSTACK-9705 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Anshul Gangwar >Assignee: Anshul Gangwar > > The "unauthenticated API" allows a caller to reset CloudStack administrator > passwords. This presents a security risk becaues it allows for privilege > escallation attacks. First, if the unauthenticated API is listening on the > network (instead of locally) then any user on the network can reset admin > passwords. If, the API is only listening locally, then any user with access > to the local box can resset admin passwords. This would allow them to access > other hosts within the cloudstack deployment. > While it may be important to provide a recovery mechanism for admin passwords > that have been lost or hyjacked, such a solution needs to be secure. We > should either remove this feature from the Unauthenticated API, or provide a > solution that is less open to abuse. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15867253#comment-15867253 ] ASF GitHub Bot commented on CLOUDSTACK-9705: Github user cloudmonger commented on the issue: https://github.com/apache/cloudstack/pull/1865 ### ACS CI BVT Run **Sumarry:** Build Number 321 Hypervisor xenserver NetworkType Advanced Passed=104 Failed=0 Skipped=7 _Link to logs Folder (search by build_no):_ https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0 **Failed tests:** **Skipped tests:** test_01_test_vm_volume_snapshot test_vm_nic_adapter_vmxnet3 test_static_role_account_acls test_11_ss_nfs_version_on_ssvm test_nested_virtualization_vmware test_3d_gpu_support test_deploy_vgpu_enabled_vm **Passed test suits:** test_deploy_vm_with_userdata.py test_affinity_groups_projects.py test_portable_publicip.py test_over_provisioning.py test_global_settings.py test_scale_vm.py test_service_offerings.py test_routers_iptables_default_policy.py test_loadbalance.py test_routers.py test_reset_vm_on_reboot.py test_deploy_vms_with_varied_deploymentplanners.py test_network.py test_router_dns.py test_non_contigiousvlan.py test_login.py test_deploy_vm_iso.py test_list_ids_parameter.py test_public_ip_range.py test_multipleips_per_nic.py test_regions.py test_affinity_groups.py test_network_acl.py test_pvlan.py test_volumes.py test_nic.py test_deploy_vm_root_resize.py test_resource_detail.py test_secondary_storage.py test_vm_life_cycle.py test_routers_network_ops.py test_disk_offerings.py > Unauthenticated API allows Admin password reset > --- > > Key: CLOUDSTACK-9705 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Anshul Gangwar >Assignee: Anshul Gangwar > > The "unauthenticated API" allows a caller to reset CloudStack administrator > passwords. This presents a security risk becaues it allows for privilege > escallation attacks. First, if the unauthenticated API is listening on the > network (instead of locally) then any user on the network can reset admin > passwords. If, the API is only listening locally, then any user with access > to the local box can resset admin passwords. This would allow them to access > other hosts within the cloudstack deployment. > While it may be important to provide a recovery mechanism for admin passwords > that have been lost or hyjacked, such a solution needs to be secure. We > should either remove this feature from the Unauthenticated API, or provide a > solution that is less open to abuse. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1515#comment-1515 ] ASF GitHub Bot commented on CLOUDSTACK-9705: GitHub user anshul1886 opened a pull request: https://github.com/apache/cloudstack/pull/1865 CLOUDSTACK-9705: Unauthenticated API allows Admin password reset Now, Updating the password via UpdateUser API is not allowed via integration port You can merge this pull request into a Git repository by running: $ git pull https://github.com/anshul1886/cloudstack-1 CLOUDSTACK-9705 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cloudstack/pull/1865.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1865 commit d206336e1a89d45162c95228ce3486b31d476504 Author: Anshul GangwarDate: 2015-01-29T22:50:26Z CLOUDSTACK-9705: Unauthenticated API allows Admin password reset Now, Updating the password via UpdateUser API is not allowed via integration port > Unauthenticated API allows Admin password reset > --- > > Key: CLOUDSTACK-9705 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Anshul Gangwar >Assignee: Anshul Gangwar > > The "unauthenticated API" allows a caller to reset CloudStack administrator > passwords. This presents a security risk becaues it allows for privilege > escallation attacks. First, if the unauthenticated API is listening on the > network (instead of locally) then any user on the network can reset admin > passwords. If, the API is only listening locally, then any user with access > to the local box can resset admin passwords. This would allow them to access > other hosts within the cloudstack deployment. > While it may be important to provide a recovery mechanism for admin passwords > that have been lost or hyjacked, such a solution needs to be secure. We > should either remove this feature from the Unauthenticated API, or provide a > solution that is less open to abuse. -- This message was sent by Atlassian JIRA (v6.3.4#6332)