kolla

RabbitMQ downloads binary over http without verification

Bug #1791674 reported by Joshua Padman on 2018-09-10

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kolla	Fix Released	Undecided	Unassigned

Bug Description

Hi,

Recently it was seen that Kolla was including a RabbitMQ plugin which is downloaded from the RabbitMQ website using HTTP. This file is then included without validation.

This could allow for the injection of code during the build. The website and download is also served on HTTPS with a valid certificate, which should be sufficient mitigation in many cases. However, verification of the binary via checksum would be even better.

Code affected:
https://git.openstack.org/cgit/openstack/kolla/tree/docker/rabbitmq/Dockerfile.j2#n55

There is a current git that may mitigate this for debian installs:
https://git.openstack.org/cgit/openstack/kolla/commit/?id=4d8f5497d25a2150c3a11d9537a5c0a2005ce009

Downstream at Red Hat we will most likely be removing the download and not using the plugin moving forward.

The following CVE was assigned CVE-2018-14620. We are working to ship fixes soon.

See original description

CVE References

2018-14620

Revision history for this message

Joshua Padman (jpadman) wrote on 2018-09-10:

This is essentially happening in the following bug too:
https://bugs.launchpad.net/tripleo/+bug/1791077

Revision history for this message

Joshua Padman (jpadman) wrote on 2018-09-10:

Spoke with Martin André about this bug and the potential for others like it. The bug is not particular serious and it would be good to open discussion about this and other potential bugs. Therefore I have set it to a "public security" bug.

I was unable to link the CVE as it was listed as invalid. Will try again soon.

information type:

Private Security → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-10: Related fix proposed to kolla (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/601322

Joshua Padman (jpadman) on 2018-09-10

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-11: Related fix merged to kolla (master)

Reviewed: https://review.openstack.org/601322
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=27bab79096584b50947f0d81d41ad2e143c1041e
Submitter: Zuul
Branch: master

commit 27bab79096584b50947f0d81d41ad2e143c1041e
Author: Martin André <email address hidden>
Date: Mon Sep 10 18:49:02 2018 +0200

Download binaries more securely

    Obtain binaries from encrypted source when we're unable to check for
    their signatures. This should provide better security than downloading
    the files over HTTP but does not replace signature verification or file
    integrity check.

Related-Bug: #1791674
Change-Id: I7d6eed9ab14ceb130ea4f5f03d893ddaaa0a7acd

Michal Nasiadka (mnasiadka) on 2019-09-12

Changed in kolla:
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.