Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk Arbitrary file access
through custom S3 XML entities in Swift's XML parser
[EGI-SVG-CVE-2022-47950]
Date: 2023-01-23
Updated: 2023-04-11
Affected software and risk
==========================
CRITICAL risk vulnerability concerning Swift's S3 XML parser affecting OpenStack
Package : Swift S3 XML parser
CVE ID : CVE-2022-47950
CVSS Score : 7.7 [R 1]
A flaw was found in Swift's S3 XML parser. By supplying specially crafted XML files,
an authenticated user may coerce the S3 API into returning arbitrary file contents
from the host server, resulting in unauthorized read access to potentially
sensitive data. [R 1] [R 2] [R 3]
EGI FedCLoud sites are vulnerable.
Actions required/recommended
============================
EGI Cloud sites running OpenStack are required to either update relevant
components or carry out mitigation below urgently.
All running resources MUST be either patched or have mitigation
in place or software removed by 2023-01-31 00:00 UTC
All sites running OpenStack should update as a precaution.
Component installation information
==================================
Sites running OpenStack provided by RHEL should see [R 1]
Others should refer to OpenStack notification - included below.
Mitigation
===========
Disable S3-compatibility
OpenStack Notification
======================
Title:-
[openstack-announce] [OSSA-2023-001] Swift: Arbitrary file access through custom S3 XML entities (CVE-2022-47950)
:Date: January 17, 2023
:CVE: CVE-2022-47950
Affects
~~~~~~~
- Swift: <2.28.1, >=2.29.0 <2.29.2, ==2.30.0
Description
~~~~~~~~~~~
Sebastien Meriot (OVH) reported a vulnerability in Swift's S3 XML parser. By supplying specially crafted XML files an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server resulting in unauthorized read access to potentially sensitive data; this impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed). Only deployments with S3 compatibility enabled are affected.
Patches
~~~~~~~
- https://review.opendev.org/870823 (2023.1/antelope)
- https://review.opendev.org/870828 (Wallaby)
- https://review.opendev.org/870827 (Xena)
- https://review.opendev.org/870826 (Yoga)
- https://review.opendev.org/870825 (Zed)
Credits
~~~~~~~
- Sebastien Meriot from OVH (CVE-2022-47950
Notes
~~~~~
- The stable/wallaby branch is under extended maintenance and will receive no
new point releases, but a patch for it is provided as a courtesy.
--
Jeremy Stanley
OpenStack Vulnerability Management Team
More information
================
The EGI SVG considers this vulnerability to be 'CRITICAL' in the EGI FedCloud
because members of the VOs supported by sites with OpenStack swift normally
have access to this service.
So this can potentially be exploited by any member of the supported VOs.
This is exploitable without the need to create a VM in FedCloud, swift-s3 can
be accessed directly without a VM, it's normally a publicly accessible API.
As far as the EGI SVG is aware, only FedCloud sites within EGI running OpenStack
are exploitabe by users.
Grid jobs do not use OpenStack directly. The vulnerability is exploitable by
whoever created the WN but not the Grid user. The vulnerability is only
exploitable by the person who has access to swift.
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for
distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2022-47950
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]
References
==========
[R 1] https://access.redhat.com/security/cve/CVE-2022-47950
[R 2] https://launchpad.net/bugs/1998625
[R 3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47950
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867
Credit
======
SVG was alerted to this vulnerability by Alexander Dibbo and
separately by Enol Fernandez
Timeline
========
Yyyy-mm-dd [EGI-SVG-2023-CVE-2023-47950]
2023-01-17 SVG alerted to this issue by Alexander Dibbo
2023-01-18 Acknowledgement from the EGI SVG to the reporter
2023-01-20 Discussion on exploitability and risk posed by this vulnerability,
including with a FedCloud expert.
2023-01-23 Advisory sent to sites
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/
and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
-----------------------------
On behalf of the EGI SVG,