Cinder

cinder drivers using ETree for xml parsing

Bug #1656030 reported by Nicholas Jones
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
New
Undecided
Unassigned
OpenStack Security Advisory
Invalid
Undecided
Unassigned

Bug Description

Bandit blacklists calls to xml.etree for security purposes
see: http://docs.openstack.org/developer/bandit/blacklists/blacklist_calls.html#b313-b320-xml

Calls to xml.etree are made in the following locations:

Location: cinder/cinder/volume/drivers/fujitsu/eternus_dx_common.py:1102
Location: cinder/cinder/volume/drivers/hitachi/hnas_utils.py:204
Location: cinder/cinder/volume/drivers/huawei/huawei_conf.py:43
Location: cinder/cinder/volume/drivers/huawei/huawei_conf.py:85
Location: cinder/cinder/volume/drivers/qnap.py:562
Location: cinder/cinder/volume/drivers/qnap.py:594
Location: cinder/cinder/volume/drivers/qnap.py:829
Location: cinder/cinder/volume/drivers/qnap.py:902
Location: cinder/cinder/volume/drivers/qnap.py:951
Location: cinder/cinder/volume/drivers/qnap.py:975
Location: cinder/cinder/volume/drivers/qnap.py:999
Location: cinder/cinder/volume/drivers/qnap.py:1028
Location: cinder/cinder/volume/drivers/qnap.py:1036
Location: cinder/cinder/volume/drivers/qnap.py:1060
Location: cinder/cinder/volume/drivers/qnap.py:1084
Location: cinder/cinder/volume/drivers/qnap.py:1105
Location: cinder/cinder/volume/drivers/qnap.py:1124
Location: cinder/cinder/volume/drivers/qnap.py:1142
Location: cinder/cinder/volume/drivers/qnap.py:1161
Location: cinder/cinder/volume/drivers/qnap.py:1203
Location: cinder/cinder/volume/drivers/qnap.py:1236
Location: cinder/cinder/volume/drivers/qnap.py:1253
Location: cinder/cinder/volume/drivers/qnap.py:1278
Location: cinder/cinder/volume/drivers/qnap.py:1306
Location: cinder/cinder/volume/drivers/qnap.py:1334
Location: cinder/cinder/volume/drivers/qnap.py:1375
Location: cinder/cinder/volume/drivers/qnap.py:1408
Location: cinder/cinder/volume/drivers/qnap.py:1428
Location: cinder/cinder/volume/drivers/qnap.py:1453
Location: cinder/cinder/volume/drivers/qnap.py:1490
Location: cinder/cinder/volume/drivers/qnap.py:1523
Location: cinder/cinder/volume/drivers/qnap.py:1531
Location: cinder/cinder/volume/drivers/qnap.py:1548

See original description
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

This report doesn't include any useful research, just a copy-and-paste report from a static code analyzer. Can you clarify what actual vulnerabilities you've discovered and provide some realistic exploit scenarios? The recommendation to switch to defusedxml has been debated heavily (and rejected) elsewhere in OpenStack as recently as a few months ago: http://lists.openstack.org/pipermail/openstack-dev/2016-September/104630.html

Given that thread explicitly mentions "cinder drivers" I recommend we switch this bug to Public Security since an embargo is pointless.

Revision history for this message
Sean McGinnis (sean-mcginnis) wrote :

I agree with Jeremy.

Also, the majority of the use of this is by drivers for parsing XML to and from their device API. So I don't think "parse untrusted XML data is known to be vulnerable to XML attacks" applies here.

Revision history for this message
Nicholas Jones (nj762h) wrote :

This is 100% just me deferring to higher powers in an attempt to either address or eliminate issues raised by bandit.

If the XML in the drivers respective configuration files is guaranteed to be secure then there's likely no issue.

Revision history for this message
Jeremy Stanley (fungi) wrote :

I've switched the bug to Public Security now so this discussion can continue as publicly as we like.

information type: Private Security → Public Security
description: updated
Revision history for this message
Arun Kant (arukant) wrote :

For details of xml attacks and possible replacement, this package can be referred which mentions about xml related various attack vectors.

https://pypi.python.org/pypi/defusedxml

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

The VMT doesn't usually issue advisory for bug only exposed in the backend network, unless this can be abused by regular user. I propose we treat this as a class C1 report ( https://security.openstack.org/vmt-process.html#incident-report-taxonomy ).

Revision history for this message
Jeremy Stanley (fungi) wrote :

Probably more of a class E unless it can be demonstrated that there is any actual vulnerability exposed (or could barely be class D if there's interest from Cinder in anyone working on a "safer" replacement implementation). Also since it's already public I've gone ahead and marked our security advisory task invalid.

Changed in ossa:
status: Incomplete → Invalid
information type: Public Security → Public
Kendall Nelson (kjnelson)
tags: added: drivers fujitsu hitachi huawei qnap
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.