cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-9705) Unauthenticated API allows Admin password reset
Date Wed, 15 Feb 2017 04:50:41 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15867253#comment-15867253
] 

ASF GitHub Bot commented on CLOUDSTACK-9705:
--------------------------------------------

Github user cloudmonger commented on the issue:

    https://github.com/apache/cloudstack/pull/1865
  
     ### ACS CI BVT Run
     **Sumarry:**
     Build Number 321
     Hypervisor xenserver
     NetworkType Advanced
     Passed=104
     Failed=0
     Skipped=7
    
    _Link to logs Folder (search by build_no):_ https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0
    
    
    **Failed tests:**
    
    **Skipped tests:**
    test_01_test_vm_volume_snapshot
    test_vm_nic_adapter_vmxnet3
    test_static_role_account_acls
    test_11_ss_nfs_version_on_ssvm
    test_nested_virtualization_vmware
    test_3d_gpu_support
    test_deploy_vgpu_enabled_vm
    
    **Passed test suits:**
    test_deploy_vm_with_userdata.py
    test_affinity_groups_projects.py
    test_portable_publicip.py
    test_over_provisioning.py
    test_global_settings.py
    test_scale_vm.py
    test_service_offerings.py
    test_routers_iptables_default_policy.py
    test_loadbalance.py
    test_routers.py
    test_reset_vm_on_reboot.py
    test_deploy_vms_with_varied_deploymentplanners.py
    test_network.py
    test_router_dns.py
    test_non_contigiousvlan.py
    test_login.py
    test_deploy_vm_iso.py
    test_list_ids_parameter.py
    test_public_ip_range.py
    test_multipleips_per_nic.py
    test_regions.py
    test_affinity_groups.py
    test_network_acl.py
    test_pvlan.py
    test_volumes.py
    test_nic.py
    test_deploy_vm_root_resize.py
    test_resource_detail.py
    test_secondary_storage.py
    test_vm_life_cycle.py
    test_routers_network_ops.py
    test_disk_offerings.py


> Unauthenticated API allows Admin password reset
> -----------------------------------------------
>
>                 Key: CLOUDSTACK-9705
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9705
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Anshul Gangwar
>            Assignee: Anshul Gangwar
>
> The "unauthenticated API" allows a caller to reset CloudStack administrator passwords.
This presents a security risk becaues it allows for privilege escallation attacks. First,
if the unauthenticated API is listening on the network (instead of locally) then any user
on the network can reset admin passwords. If, the API is only listening locally, then any
user with access to the local box can resset admin passwords. This would allow them to access
other hosts within the cloudstack deployment.
> While it may be important to provide a recovery mechanism for admin passwords that have
been lost or hyjacked, such a solution needs to be secure. We should either remove this feature
from the Unauthenticated API, or provide a solution that is less open to abuse.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message