solidfire driver ignores certificates
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
The solidfire driver passes verify=False when initiating an https connection. This in effect bypasses any certificate verification and allows the user to be vulnerable to a man-in-the-middle attack. Certificates should always be trusted before passing credentials. To support cases with self-signed certificates, typically an option to ignore errors is exposed in a config file (cinder.conf).
https:/
req = requests.post(url,
information type: | Private Security → Public |
tags: | added: security |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.