As there seems to be some consensus, I've gone ahead and switched this bug to public, marking our security advisory task Won't Fix. I'll leave it to the Keystone maintainers to do the same with theirs.
** Description changed: - This issue is being treated as a potential security risk under - embargo. Please do not make any public mention of embargoed - (private) security vulnerabilities before their coordinated - publication by the OpenStack Vulnerability Management Team in the - form of an official OpenStack Security Advisory. This includes - discussion of the bug or associated fixes in public forums such as - mailing lists, code review systems and bug trackers. Please also - avoid private disclosure to other individuals not already approved - for access to this information, and provide this same reminder to - those who are made aware of the issue prior to publication. All - discussion should remain confined to this private bug report, and - any proposed fixes should be added to the bug as attachments. This - embargo shall not extend past 2020-05-27 and will be made - public by or on that date if no fix is identified. - The Domain Configuration subsystem, specifically PATCH /domains/{domain_id}/config/{group} appears to leak data before enforcement. The method called from the routed path[0] performs a "domain exists" check[1] before sending to the 'update_domain_config' method [2] which is behind the @protected decorator. This has the potential to be used to verify existence of domains by ID without authentication. This is in-fact a data leak. However, since domains (outside of "default" and the keystone-root domain) are uuids, this is likely a C1 classification in the VMT Taxonomy [3] (Useful if an attacker is guessing UUIDs). The only case where this is more significant is that it can be used to determine if the default domain is enabled/configured; the usefulness of such data is relatively suspect and unlikely to be meaningful. However, with all that said, since this is a potential security flaw, the bug has been marked private security. [0] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/routers.py#L55 [1] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L134 [2] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L125-L131 [3] https://security.openstack.org/vmt-process.html#incident-report-taxonomy ** Information type changed from Private Security to Public ** Changed in: ossa Status: Incomplete => Won't Fix ** Tags added: security -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1786646 Title: Domain Existence Leaking without authentication Status in OpenStack Identity (keystone): Confirmed Status in OpenStack Security Advisory: Won't Fix Bug description: The Domain Configuration subsystem, specifically PATCH /domains/{domain_id}/config/{group} appears to leak data before enforcement. The method called from the routed path[0] performs a "domain exists" check[1] before sending to the 'update_domain_config' method [2] which is behind the @protected decorator. This has the potential to be used to verify existence of domains by ID without authentication. This is in-fact a data leak. However, since domains (outside of "default" and the keystone-root domain) are uuids, this is likely a C1 classification in the VMT Taxonomy [3] (Useful if an attacker is guessing UUIDs). The only case where this is more significant is that it can be used to determine if the default domain is enabled/configured; the usefulness of such data is relatively suspect and unlikely to be meaningful. However, with all that said, since this is a potential security flaw, the bug has been marked private security. [0] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/routers.py#L55 [1] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L134 [2] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L125-L131 [3] https://security.openstack.org/vmt-process.html#incident-report-taxonomy To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1786646/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp