subject:"\[jira\] \[Commented\] \(CLOUDSTACK\-9705\) Unauthenticated API allows Admin password reset"

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

2017-08-01 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109533#comment-16109533
 ] 

ASF subversion and git services commented on CLOUDSTACK-9705:
-

Commit 75c81d918a359e25be3928ef42feb36614467a88 in cloudstack's branch 
refs/heads/4.10 from [~anshulg]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=75c81d9 ]

CLOUDSTACK-9705: Unauthenticated API allows Admin password reset
 Now, Updating the password via UpdateUser API is not allowed via integration 
port

(cherry picked from commit d206336e1a89d45162c95228ce3486b31d476504)
Signed-off-by: Rohit Yadav 


> Unauthenticated API allows Admin password reset
> ---
>
> Key: CLOUDSTACK-9705
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Anshul Gangwar
>Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator 
> passwords. This presents a security risk becaues it allows for privilege 
> escallation attacks. First, if the unauthenticated API is listening on the 
> network (instead of locally) then any user on the network can reset admin 
> passwords. If, the API is only listening locally, then any user with access 
> to the local box can resset admin passwords. This would allow them to access 
> other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords 
> that have been lost or hyjacked, such a solution needs to be secure. We 
> should either remove this feature from the Unauthenticated API, or provide a 
> solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

2017-08-01 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109488#comment-16109488
 ] 

ASF subversion and git services commented on CLOUDSTACK-9705:
-

Commit 75c81d918a359e25be3928ef42feb36614467a88 in cloudstack's branch 
refs/heads/4.9 from [~anshulg]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=75c81d9 ]

CLOUDSTACK-9705: Unauthenticated API allows Admin password reset
 Now, Updating the password via UpdateUser API is not allowed via integration 
port

(cherry picked from commit d206336e1a89d45162c95228ce3486b31d476504)
Signed-off-by: Rohit Yadav 


> Unauthenticated API allows Admin password reset
> ---
>
> Key: CLOUDSTACK-9705
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Anshul Gangwar
>Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator 
> passwords. This presents a security risk becaues it allows for privilege 
> escallation attacks. First, if the unauthenticated API is listening on the 
> network (instead of locally) then any user on the network can reset admin 
> passwords. If, the API is only listening locally, then any user with access 
> to the local box can resset admin passwords. This would allow them to access 
> other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords 
> that have been lost or hyjacked, such a solution needs to be secure. We 
> should either remove this feature from the Unauthenticated API, or provide a 
> solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

2017-06-06 Thread ASF subversion and git services (JIRA)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16038607#comment-16038607
 ] 

ASF subversion and git services commented on CLOUDSTACK-9705:
-

Commit d206336e1a89d45162c95228ce3486b31d476504 in cloudstack's branch 
refs/heads/master from [~anshulg]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=d206336 ]

CLOUDSTACK-9705: Unauthenticated API allows Admin password reset
 Now, Updating the password via UpdateUser API is not allowed via integration 
port


> Unauthenticated API allows Admin password reset
> ---
>
> Key: CLOUDSTACK-9705
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Anshul Gangwar
>Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator 
> passwords. This presents a security risk becaues it allows for privilege 
> escallation attacks. First, if the unauthenticated API is listening on the 
> network (instead of locally) then any user on the network can reset admin 
> passwords. If, the API is only listening locally, then any user with access 
> to the local box can resset admin passwords. This would allow them to access 
> other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords 
> that have been lost or hyjacked, such a solution needs to be secure. We 
> should either remove this feature from the Unauthenticated API, or provide a 
> solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

2017-03-03 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15894958#comment-15894958
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9705:


Github user ramkatru commented on the issue:

https://github.com/apache/cloudstack/pull/1865
  
tag:mergeready


> Unauthenticated API allows Admin password reset
> ---
>
> Key: CLOUDSTACK-9705
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Anshul Gangwar
>Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator 
> passwords. This presents a security risk becaues it allows for privilege 
> escallation attacks. First, if the unauthenticated API is listening on the 
> network (instead of locally) then any user on the network can reset admin 
> passwords. If, the API is only listening locally, then any user with access 
> to the local box can resset admin passwords. This would allow them to access 
> other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords 
> that have been lost or hyjacked, such a solution needs to be secure. We 
> should either remove this feature from the Unauthenticated API, or provide a 
> solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

2017-03-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15891981#comment-15891981
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9705:


Github user koushik-das commented on the issue:

https://github.com/apache/cloudstack/pull/1865
  
Code changes LGTM


> Unauthenticated API allows Admin password reset
> ---
>
> Key: CLOUDSTACK-9705
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Anshul Gangwar
>Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator 
> passwords. This presents a security risk becaues it allows for privilege 
> escallation attacks. First, if the unauthenticated API is listening on the 
> network (instead of locally) then any user on the network can reset admin 
> passwords. If, the API is only listening locally, then any user with access 
> to the local box can resset admin passwords. This would allow them to access 
> other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords 
> that have been lost or hyjacked, such a solution needs to be secure. We 
> should either remove this feature from the Unauthenticated API, or provide a 
> solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

2017-03-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15891965#comment-15891965
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9705:


Github user anshul1886 commented on the issue:

https://github.com/apache/cloudstack/pull/1865
  
@koushik-das, This method is there so that it only gets called when the 
call is made through 8096 port. Other parameters processing is done at common 
place. 


> Unauthenticated API allows Admin password reset
> ---
>
> Key: CLOUDSTACK-9705
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Anshul Gangwar
>Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator 
> passwords. This presents a security risk becaues it allows for privilege 
> escallation attacks. First, if the unauthenticated API is listening on the 
> network (instead of locally) then any user on the network can reset admin 
> passwords. If, the API is only listening locally, then any user with access 
> to the local box can resset admin passwords. This would allow them to access 
> other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords 
> that have been lost or hyjacked, such a solution needs to be secure. We 
> should either remove this feature from the Unauthenticated API, or provide a 
> solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

2017-03-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15891837#comment-15891837
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9705:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1865#discussion_r103875741
  
--- Diff: server/src/com/cloud/api/ApiServer.java ---
@@ -430,8 +433,27 @@ public void handle(final HttpRequest request, final 
HttpResponse response, final
 if (!(responseType.equals(HttpUtils.RESPONSE_TYPE_JSON) || 
responseType.equals(HttpUtils.RESPONSE_TYPE_XML))) {
 responseType = HttpUtils.RESPONSE_TYPE_XML;
 }
-
 try {
+//verify that parameter is legit for passing via admin port
--- End diff --

Check if it makes sense to move this as a separate helper method. There are 
also other places in code that reads the annotation on the API commands and 
parameters. Check if some of them can be reused.


> Unauthenticated API allows Admin password reset
> ---
>
> Key: CLOUDSTACK-9705
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Anshul Gangwar
>Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator 
> passwords. This presents a security risk becaues it allows for privilege 
> escallation attacks. First, if the unauthenticated API is listening on the 
> network (instead of locally) then any user on the network can reset admin 
> passwords. If, the API is only listening locally, then any user with access 
> to the local box can resset admin passwords. This would allow them to access 
> other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords 
> that have been lost or hyjacked, such a solution needs to be secure. We 
> should either remove this feature from the Unauthenticated API, or provide a 
> solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

2017-03-02 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15891832#comment-15891832
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9705:


Github user koushik-das commented on the issue:

https://github.com/apache/cloudstack/pull/1865
  
@anshul1886 @karuturi Should this be treated as a security issue and fixed 
on priority?


> Unauthenticated API allows Admin password reset
> ---
>
> Key: CLOUDSTACK-9705
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Anshul Gangwar
>Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator 
> passwords. This presents a security risk becaues it allows for privilege 
> escallation attacks. First, if the unauthenticated API is listening on the 
> network (instead of locally) then any user on the network can reset admin 
> passwords. If, the API is only listening locally, then any user with access 
> to the local box can resset admin passwords. This would allow them to access 
> other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords 
> that have been lost or hyjacked, such a solution needs to be secure. We 
> should either remove this feature from the Unauthenticated API, or provide a 
> solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

2017-02-14 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15867253#comment-15867253
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9705:


Github user cloudmonger commented on the issue:

https://github.com/apache/cloudstack/pull/1865
  
 ### ACS CI BVT Run
 **Sumarry:**
 Build Number 321
 Hypervisor xenserver
 NetworkType Advanced
 Passed=104
 Failed=0
 Skipped=7

_Link to logs Folder (search by build_no):_ 
https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0


**Failed tests:**

**Skipped tests:**
test_01_test_vm_volume_snapshot
test_vm_nic_adapter_vmxnet3
test_static_role_account_acls
test_11_ss_nfs_version_on_ssvm
test_nested_virtualization_vmware
test_3d_gpu_support
test_deploy_vgpu_enabled_vm

**Passed test suits:**
test_deploy_vm_with_userdata.py
test_affinity_groups_projects.py
test_portable_publicip.py
test_over_provisioning.py
test_global_settings.py
test_scale_vm.py
test_service_offerings.py
test_routers_iptables_default_policy.py
test_loadbalance.py
test_routers.py
test_reset_vm_on_reboot.py
test_deploy_vms_with_varied_deploymentplanners.py
test_network.py
test_router_dns.py
test_non_contigiousvlan.py
test_login.py
test_deploy_vm_iso.py
test_list_ids_parameter.py
test_public_ip_range.py
test_multipleips_per_nic.py
test_regions.py
test_affinity_groups.py
test_network_acl.py
test_pvlan.py
test_volumes.py
test_nic.py
test_deploy_vm_root_resize.py
test_resource_detail.py
test_secondary_storage.py
test_vm_life_cycle.py
test_routers_network_ops.py
test_disk_offerings.py


> Unauthenticated API allows Admin password reset
> ---
>
> Key: CLOUDSTACK-9705
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Anshul Gangwar
>Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator 
> passwords. This presents a security risk becaues it allows for privilege 
> escallation attacks. First, if the unauthenticated API is listening on the 
> network (instead of locally) then any user on the network can reset admin 
> passwords. If, the API is only listening locally, then any user with access 
> to the local box can resset admin passwords. This would allow them to access 
> other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords 
> that have been lost or hyjacked, such a solution needs to be secure. We 
> should either remove this feature from the Unauthenticated API, or provide a 
> solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

2016-12-25 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1515#comment-1515
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9705:


GitHub user anshul1886 opened a pull request:

https://github.com/apache/cloudstack/pull/1865

CLOUDSTACK-9705: Unauthenticated API allows Admin password reset

 Now, Updating the password via UpdateUser API is not allowed via 
integration port

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/anshul1886/cloudstack-1 CLOUDSTACK-9705

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/cloudstack/pull/1865.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1865


commit d206336e1a89d45162c95228ce3486b31d476504
Author: Anshul Gangwar 
Date:   2015-01-29T22:50:26Z

CLOUDSTACK-9705: Unauthenticated API allows Admin password reset
 Now, Updating the password via UpdateUser API is not allowed via 
integration port




> Unauthenticated API allows Admin password reset
> ---
>
> Key: CLOUDSTACK-9705
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Anshul Gangwar
>Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator 
> passwords. This presents a security risk becaues it allows for privilege 
> escallation attacks. First, if the unauthenticated API is listening on the 
> network (instead of locally) then any user on the network can reset admin 
> passwords. If, the API is only listening locally, then any user with access 
> to the local box can resset admin passwords. This would allow them to access 
> other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords 
> that have been lost or hyjacked, such a solution needs to be secure. We 
> should either remove this feature from the Unauthenticated API, or provide a 
> solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

[jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset

10 matches

Site Navigation

Mail list logo

Footer information