fallback to unsigned stream metadata may have security issues
Bug #1320312 reported by
dann frazier
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
Medium
|
Unassigned |
Bug Description
When juju is fetching simple streams metadata for images and tools, it appears to look for a signed file (.sjson) first, and falls back to an unsigned one (.json). This process seems susceptible to man-in-the-middle attacks. An attacker could intercept juju's request for a .sjson file and return a 404, then return a malicious .json file on the fallback request.
Juju metadata could support signing of personal streams, and or users could configure Juju to accept a key they trust.
Changed in juju-core: | |
milestone: | none → 2.0-beta2 |
status: | Triaged → Fix Committed |
Changed in juju-core: | |
status: | Fix Committed → Fix Released |
affects: | juju-core → juju |
Changed in juju: | |
milestone: | 2.0-beta2 → none |
milestone: | none → 2.0-beta2 |
To post a comment you must log in.
For reference: /juju.ubuntu. com/docs/ howto-privatecl oud.html
https:/
"Metadata may be inline signed, or unsigned. We indicate a metadata file is signed by using the '.sjson' extension. Each location in the path is first searched for signed metadata, and if none is found, unsigned metadata is attempted before moving onto the next path location."
I verified this behavior by overridng the tools metadata url in a juju-core 1.19.2 release (in the source, tools-metadata-url in environments.yaml didn't seem to work), and provided only an unsigned .json file there. The debug output seems to confirm this behavior:
2014-05-16 17:27:39 DEBUG juju.environs. simplestreams simplestreams. go:388 fetchData failed for "http:// people. canonical. com/~dannf/ tools/streams/ v1/index. sjson": cannot find URL "http:// people. canonical. com/~dannf/ tools/streams/ v1/index. sjson" not found simplestreams simplestreams. go:362 cannot load index "http:// people. canonical. com/~dannf/ tools/streams/ v1/index. sjson": invalid URL "http:// people. canonical. com/~dannf/ tools/streams/ v1/index. sjson" not found simplestreams simplestreams. go:388 fetchData failed for "http:// people. canonical. com/~dannf/ tools/streams/ v1/mirrors. json": cannot find URL "http:// people. canonical. com/~dannf/ tools/streams/ v1/mirrors. json" not found simplestreams simplestreams. go:465 no mirror index file found simplestreams simplestreams. go:446 no mirror information available for {us-east-1 https:/ /ec2.us- east-1. amazonaws. com}: mirror data for "com.ubuntu. juju:released: tools" not found simplestreams simplestreams. go:366 read metadata index at "http:// people. canonical. com/~dannf/ tools/streams/ v1/index. json"
2014-05-16 17:27:39 DEBUG juju.environs.
2014-05-16 17:27:39 INFO juju.utils http.go:56 hostname SSL verification enabled
2014-05-16 17:27:39 INFO juju.utils http.go:56 hostname SSL verification enabled
2014-05-16 17:27:40 DEBUG juju.environs.
2014-05-16 17:27:40 DEBUG juju.environs.
2014-05-16 17:27:40 DEBUG juju.environs.
2014-05-16 17:27:40 DEBUG juju.environs.