Executive Summary

This vulnerability exists in OpenStack Cyborg versions before 16.0.1 where the Accelerator Request (ARQ) API fails to enforce project ownership at any level.

Specifically, the project_id field in the database is never set and remains NULL for all ARQs, database queries do not filter by project, and policy checks incorrectly compare the caller's project_id with itself rather than the target resource.

As a result, any authenticated non-admin user can perform actions such as deleting ARQs that belong to other projects, leading to cross-tenant denial of service.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow any authenticated non-admin user to delete Accelerator Requests (ARQs) associated with other projects' instances.

This leads to a cross-tenant denial of service, potentially disrupting services or workloads running on those other projects.

The impact includes loss of availability and integrity of resources managed by the ARQ API.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in OpenStack Cyborg allows any authenticated non-admin user to perform actions across different projects without proper authorization, leading to cross-tenant denial of service. This lack of project ownership enforcement and improper access control could potentially lead to unauthorized access or manipulation of data belonging to other tenants.

Such unauthorized access and lack of proper data segregation may impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data to prevent unauthorized disclosure or modification.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenStack Cyborg to version 16.0.1 or later where the issue is fixed.

Since the vulnerability allows any authenticated non-admin user to perform unauthorized actions due to lack of project ownership enforcement, applying the patch or upgrade that enforces project ownership and proper policy checks is critical.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the OpenStack Cyborg Accelerator Request (ARQ) API not enforcing project ownership, leading to NULL project_id values in the database and allowing unauthorized cross-tenant actions.

To detect this vulnerability on your system, you can check the `extended_accelerator_requests` database table for NULL values in the `project_id` column, which indicates the issue.

Additionally, you can attempt to list or delete ARQs across projects using non-admin credentials to verify if unauthorized cross-tenant access is possible.

Suggested commands include:

• Query the database to find ARQs with NULL project_id: `SELECT * FROM extended_accelerator_requests WHERE project_id IS NULL;`
• Use OpenStack CLI or API calls with a non-admin user to list ARQs and check if ARQs from other projects are visible.
• Attempt to delete or modify ARQs bound to instances of other projects using non-admin credentials to test for unauthorized access.

Useful 0 Not Useful 0