security issues in heat templates
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Heat Templates |
Confirmed
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
I was asked to take a look at the openstack/
I went through the code at https:/
Here is a summary of the things that I found -
* yum repositories that make connections via http (should be https)
* yum repositories being created with sslverify=false (should verify ssl certificates)
* yum repositories being created with gpgcheck=0 (gpg should be used to verify the packages)
* importing a rpm key via http
* using hmac-md5 via dnssec (deprecated?)
* potentially insecure file permissions for configuration files that contain sensitive info (e.g. passwords)
* selinux disabled
* sql database settings containing username / password created in temp file at predictable location with 644 perms. is temp file cleaned up?
* creating crontab file in /tmp at a predictable location and importing it. (potential toctou issue?)
* running scripts that are being downloaded via http instead of https.
I've attached a file detailing which problems belong in which files. I'm not entirely sure if this needs to go through the whole CVE process, but I believe that most of these issues need to be addressed.
information type: | Private Security → Public Security |
I think some of this would be relevant for OSSA if we consider(ed) heat-templates in the scope of what we release advisories for.
At this point the scope/coverage for the has be loosely defined. Everyone agrees that Integrated projects count. We have a few extra projects covered too (python-*client corresponding to integrated projects in particular). We need to have that discussion about scope ASAP to clarify our position. Until we get more resources on the VMT my position is rather minimalist.
So my lazy answer would be to leave them out of scope until the most obvious issues are fixed, at which point we could consider adding them...