Headline
CVE-2023-27589: Do not allow adding root user to IAM subsystem by harshavardhana · Pull Request #16803 · minio/minio
Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with consoleAdmin
permissions can potentially create a user that matches the root credential accessKey
. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via mc admin policy set
.
Mint Automation
Test
Result
mint-erasure.sh
✔️
mint-compress-encrypt-dist-erasure.sh
❌ more…
mint-pools.sh
❌ more…
16803-1d1b209/mint-pools.sh.log:
Running with
SERVER_ENDPOINT: 15.15.15.7:31416
ACCESS_KEY: minio
SECRET_KEY: ***REDACTED***
ENABLE_HTTPS: 0
SERVER_REGION: us-east-1
MINT_DATA_DIR: /mint/data
MINT_MODE: full
ENABLE_VIRTUAL_STYLE: 0
RUN_ON_FAIL: 0
To get logs, run 'docker cp 669afbd10fa0:/mint/log /tmp/mint-logs'
(1/14) Running aws-sdk-go tests ... done in 9 seconds
(2/14) Running aws-sdk-java tests ... done in 2 seconds
(3/14) Running aws-sdk-php tests ... done in 42 seconds
(4/14) Running aws-sdk-ruby tests ... done in 10 seconds
(5/14) Running awscli tests ... done in 2 minutes and 24 seconds
(6/14) Running healthcheck tests ... done in 0 seconds
(7/14) Running mc tests ... done in 18 seconds
(8/14) Running minio-go tests ... done in 56 seconds
(9/14) Running minio-java tests ... done in 45 seconds
(10/14) Running minio-js tests ... FAILED in 1 minutes and 1 seconds
{
"name": "minio-js",
"function": "\"after all\" hook in \"functional tests\"",
"duration": 7273,
"status": "FAIL",
"error": "S3Error: The bucket you tried to delete is not empty at Object.parseError (node_modules/minio/dist/main/xml-parsers.js:71:11) at /mint/run/core/minio-js/node_modules/minio/dist/main/transformers.js:166:22 at DestroyableTransform._flush (node_modules/minio/dist/main/transformers.js:90:10) at DestroyableTransform.prefinish (node_modules/readable-stream/lib/_stream_transform.js:129:10) at prefinish (node_modules/readable-stream/lib/_stream_writable.js:611:14) at finishMaybe (node_modules/readable-stream/lib/_stream_writable.js:620:5) at endWritable (node_modules/readable-stream/lib/_stream_writable.js:643:3) at DestroyableTransform.Writable.end (node_modules/readable-stream/lib/_stream_writable.js:571:22) at IncomingMessage.onend (internal/streams/readable.js:670:10) at endReadableNT (internal/streams/readable.js:1333:12) at processTicksAndRejections (internal/process/task_queues.js:82:21)"
}
(10/14) Running minio-py tests ... done in 2 minutes and 21 seconds
(11/14) Running s3cmd tests ... done in 18 seconds
(12/14) Running s3select tests ... done in 4 seconds
(13/14) Running versioning tests ... done in 3 minutes and 20 seconds
Executed 13 out of 14 tests successfully.
16803-1d1b209/mint-compress-encrypt-dist-erasure.sh.log:
Running with
SERVER_ENDPOINT: 15.15.15.8:31036
ACCESS_KEY: minio
SECRET_KEY: ***REDACTED***
ENABLE_HTTPS: 0
SERVER_REGION: us-east-1
MINT_DATA_DIR: /mint/data
MINT_MODE: full
ENABLE_VIRTUAL_STYLE: 0
RUN_ON_FAIL: 0
To get logs, run 'docker cp 41dc944b6939:/mint/log /tmp/mint-logs'
(1/14) Running aws-sdk-go tests ... done in 8 seconds
(2/14) Running aws-sdk-java tests ... done in 2 seconds
(3/14) Running aws-sdk-php tests ... done in 42 seconds
(4/14) Running aws-sdk-ruby tests ... done in 10 seconds
(5/14) Running awscli tests ... done in 2 minutes and 23 seconds
(6/14) Running healthcheck tests ... done in 0 seconds
(7/14) Running mc tests ... done in 18 seconds
(8/14) Running minio-go tests ... done in 49 seconds
(9/14) Running minio-java tests ... done in 31 seconds
(10/14) Running minio-js tests ... done in 58 seconds
(11/14) Running minio-py tests ... FAILED in 1 minutes and 6 seconds
{
"name": "minio-py:test_put_object",
"status": "FAIL",
"args": {
"bucket_name": "minio-py-test-de11b877-cc95-481a-b403-0229416a8478",
"object_name": "6bc2e079-6c01-4e61-9c40-35003bf8b1ce-metadata",
"length": 11534336,
"data": "LimitedRandomReader(11 * MB)",
"metadata": {
"x-amz-meta-testing": "value",
"test-key": "value2"
},
"content_type": "application/octet-stream"
},
"message": "('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))",
"error": "Traceback (most recent call last):\n File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 703, in urlopen\n httplib_response = self._make_request(\n File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 449, in _make_request\n six.raise_from(e, None)\n File \"<string>\", line 3, in raise_from\n File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 444, in _make_request\n httplib_response = conn.getresponse()\n File \"/usr/lib/python3.8/http/client.py\", line 1348, in getresponse\n response.begin()\n File \"/usr/lib/python3.8/http/client.py\", line 316, in begin\n version, status, reason = self._read_status()\n File \"/usr/lib/python3.8/http/client.py\", line 277, in _read_status\n line = str(self.fp.readline(_MAXLINE + 1), \"iso-8859-1\")\n File \"/usr/lib/python3.8/socket.py\", line 669, in readinto\n return self._sock.recv_into(b)\nConnectionResetError: [Errno 104] Connection reset by peer\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File \"/mint/run/core/minio-py/tests.py\", line 126, in _call_test\n func(log_entry, *args, **kwargs)\n File \"/mint/run/core/minio-py/tests.py\", line 697, in test_put_object\n _CLIENT.put_object(bucket_name, object_name + \"-metadata\", reader,\n File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 1766, in put_object\n raise exc\n File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 1725, in put_object\n upload_id = self._create_multipart_upload(\n File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 1565, in _create_multipart_upload\n response = self._execute(\n File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 403, in _execute\n return self._url_open(\n File \"/usr/local/lib/python3.8/dist-packages/minio/api.py\", line 266, in _url_open\n response = self._http.urlopen(\n File \"/usr/local/lib/python3.8/dist-packages/urllib3/poolmanager.py\", line 376, in urlopen\n response = conn.urlopen(method, u.request_uri, **kw)\n File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 787, in urlopen\n retries = retries.increment(\n File \"/usr/local/lib/python3.8/dist-packages/urllib3/util/retry.py\", line 550, in increment\n raise six.reraise(type(error), error, _stacktrace)\n File \"/usr/local/lib/python3.8/dist-packages/urllib3/packages/six.py\", line 769, in reraise\n raise value.with_traceback(tb)\n File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 703, in urlopen\n httplib_response = self._make_request(\n File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 449, in _make_request\n six.raise_from(e, None)\n File \"<string>\", line 3, in raise_from\n File \"/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py\", line 444, in _make_request\n httplib_response = conn.getresponse()\n File \"/usr/lib/python3.8/http/client.py\", line 1348, in getresponse\n response.begin()\n File \"/usr/lib/python3.8/http/client.py\", line 316, in begin\n version, status, reason = self._read_status()\n File \"/usr/lib/python3.8/http/client.py\", line 277, in _read_status\n line = str(self.fp.readline(_MAXLINE + 1), \"iso-8859-1\")\n File \"/usr/lib/python3.8/socket.py\", line 669, in readinto\n return self._sock.recv_into(b)\nurllib3.exceptions.ProtocolError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))\n",
"duration": 62741
}
(11/14) Running s3cmd tests ... done in 16 seconds
(12/14) Running s3select tests ... done in 4 seconds
(13/14) Running versioning tests ... done in 3 minutes and 4 seconds
Executed 13 out of 14 tests successfully.
Deleting image on docker hub
Deleting image locally