SB2022042572 - Multiple vulnerabilities in Openstack barbican

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Authorization (CVE-ID: CVE-2022-23452)

The vulnerability allows a remote user to perform unauthorized actions within the application.

The vulnerability exists due to missing authorization checks. A remote user with admin role can add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.

2) Improper Authorization (CVE-ID: CVE-2022-23451)

The vulnerability allows a remote user to perform unauthorized actions within the application.

The vulnerability exists due to improper authorization checks. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.

Remediation

Install update from vendor's website.

References

• https://bugzilla.redhat.com/show_bug.cgi?id=2025090
• https://storyboard.openstack.org/#!/story/2009297
• https://storyboard.openstack.org/#!/story/2009253
• https://bugzilla.redhat.com/show_bug.cgi?id=2025089