Cinder

solidfire driver ignores certificates

Bug #1432901 reported by Eric Brown on 2015-03-17

This bug report is a duplicate of: Bug #1188189: Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection). Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	New	Undecided	Unassigned
	OpenStack Security Advisory	Incomplete	Undecided	Unassigned

Bug Description

The solidfire driver passes verify=False when initiating an https connection. This in effect bypasses any certificate verification and allows the user to be vulnerable to a man-in-the-middle attack. Certificates should always be trusted before passing credentials. To support cases with self-signed certificates, typically an option to ignore errors is exposed in a config file (cinder.conf).

https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/solidfire.py#L198

        req = requests.post(url,
                            data=json.dumps(payload),
                            auth=(endpoint['login'], endpoint['passwd']),
                            verify=False,
                            timeout=30)

Tags:

Revision history for this message

Thierry Carrez (ttx) wrote on 2015-03-17:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-03-17:

This problem is already pointed out in public security hardening bug 1188189. The last mention of the solidfire driver there was still using httplib, but when change https://review.openstack.org/127399 switched it to requests it maintained compatible behavior (e.g. it did not suddenly start validating certificates).

I recommend we switch this to public and mark it as a duplicate report.

Revision history for this message

Thierry Carrez (ttx) wrote on 2015-03-19:

Agreed, let's open this (and mark it duplicate) on Monday unless someone disagrees.

Thierry Carrez (ttx) on 2015-03-23

information type:	Private Security → Public
tags:	added: security

Revision history for this message

John Griffith (john-griffith) wrote on 2015-03-23:

Late to the party, but for record keeping.. yes duplicate.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1188189 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.