security issues in heat templates

Bug #1267635 reported by Grant Murphy
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Heat Templates
Confirmed
Undecided
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

I was asked to take a look at the openstack/heat-templates project for security problems. (I think it is being packaged in Fedora).

I went through the code at https://github.com/openstack/heat-templates

Here is a summary of the things that I found -

* yum repositories that make connections via http (should be https)
* yum repositories being created with sslverify=false (should verify ssl certificates)
* yum repositories being created with gpgcheck=0 (gpg should be used to verify the packages)
* importing a rpm key via http
* using hmac-md5 via dnssec (deprecated?)
* potentially insecure file permissions for configuration files that contain sensitive info (e.g. passwords)
* selinux disabled
* sql database settings containing username / password created in temp file at predictable location with 644 perms. is temp file cleaned up?
* creating crontab file in /tmp at a predictable location and importing it. (potential toctou issue?)
* running scripts that are being downloaded via http instead of https.

I've attached a file detailing which problems belong in which files. I'm not entirely sure if this needs to go through the whole CVE process, but I believe that most of these issues need to be addressed.

Revision history for this message
Grant Murphy (gmurphy) wrote :
Revision history for this message
Thierry Carrez (ttx) wrote :

I think some of this would be relevant for OSSA if we consider(ed) heat-templates in the scope of what we release advisories for.

At this point the scope/coverage for the has be loosely defined. Everyone agrees that Integrated projects count. We have a few extra projects covered too (python-*client corresponding to integrated projects in particular). We need to have that discussion about scope ASAP to clarify our position. Until we get more resources on the VMT my position is rather minimalist.

So my lazy answer would be to leave them out of scope until the most obvious issues are fixed, at which point we could consider adding them...

Changed in ossa:
status: New → Incomplete
Revision history for this message
Thierry Carrez (ttx) wrote :

Proposing to open it as "not covered yet", per my recent email about VMT scope.

Jeremy Stanley (fungi)
information type: Private Security → Public Security
Revision history for this message
Jeremy Stanley (fungi) wrote :

Confirmed with Grant in IRC prior to switching to public security.

Revision history for this message
Thierry Carrez (ttx) wrote :
Changed in ossa:
status: Incomplete → Won't Fix
Revision history for this message
Grant Murphy (gmurphy) wrote :
Revision history for this message
Tom Fifield (fifieldt) wrote :

The following appear to be fixed:

* yum repositories that make connections via http (should be https)
* yum repositories being created with sslverify=false (should verify ssl certificates)
* yum repositories being created with gpgcheck=0 (gpg should be used to verify the packages)
 * using hmac-md5 via dnssec (deprecated?)

after a quick search, at least some of the others remain.

Changed in heat-templates:
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.