use md5 to check volume metadata
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Cinder populates a legacy'checksum' volume property which is an md5 hash of volume metadata content.We know that now md5 encryption can be breached by brute force cracking, so in the python code security monitoring, it has been considered that md5 encryption will have security vulnerabilities. We know that now md5 encryption can be breached by brute force cracking, so in the python code security monitoring, it has been considered that md5 encryption will have security vulnerabilities. Continue to use md5 cannot be guaranteed in environments that comply with various security standards (for example, FIPS).
The code is in cinder/
class Controller(
"""The volume metadata API controller for the OpenStack API."""
def _validate_
if not req.if_match:
return True
context = req.environ[
metadata = self._get_
data = jsonutils.
if six.PY3:
data = data.encode(
checksum = hashlib.
return checksum in req.if_match.etags
To remove the dependency on the insecure MD5 algorithm, do we need to consider using SHA256?
Changed in cinder: | |
status: | New → Invalid |
tags: | added: md5 security |
md5 in this particular location is not being used for any security-sensitive purpose, and was marked as such in this change:
https:/ /opendev. org/openstack/ cinder/ commit/ bb25e9550b4ab32 41c5d05434cb790 ad9dcebcec
We could change to a different algorithm for validating etags but there doesn't appear to be a pressing security motivation for doing so.
This change above allows this usage of md5 to work on a FIPS-configured system.