MITM vulnerability with EMC VMAX driver
Bug #1372635 reported by
Matthew Edmonds
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
High
|
Xing Yang | ||
Icehouse |
Won't Fix
|
Undecided
|
Unassigned | ||
Juno |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
The EMC VMAX driver in Juno appears to blindly trust whatever certificate it gets back from the device without any validation (it does not specify the ca_certs parameter, etc. on WBEMConnection.
Changed in ossa: | |
status: | New → Incomplete |
Changed in cinder: | |
assignee: | nobody → Xing Yang (xing-yang) |
milestone: | none → juno-rc1 |
information type: | Private Security → Public |
tags: | added: security |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in cinder: | |
milestone: | kilo-1 → kilo-2 |
Changed in cinder: | |
milestone: | kilo-2 → kilo-3 |
Changed in cinder: | |
status: | Fix Committed → Fix Released |
Changed in cinder: | |
milestone: | kilo-3 → 2015.1.0 |
To post a comment you must log in.
Thank you for the report! The OSSA task is set to incomplete pending for additional review.
Just to be sure, only Juno is affected ?
In stable/icehouse, cinder/ volume/ drivers/ emc/emc_ smis_common. py is also using WBEMConnection without ca_certs parameters...