OpenStack Compute (nova)

shuffle method bring potential security issue

Bug #1246160 reported by Bin Hou on 2013-10-30

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Opinion	Wishlist	Unassigned
	OpenStack Security Advisory	Invalid	Undecided	Unassigned

Bug Description

In the /nova/utils.py, line 328, the source code is below

r.shuffle(password)

This code is using shuffle method to generate a random number, Standard random number generators should not be used to generate randomness used for security reasons. For security sensitive randomness a crytographic randomness generator that provides sufficient entropy should be used.

Tags:

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-11-02:

While I agree that using a more random RNG in this case makes sense, I don't think its use in this particular instance would trigger a practically exploitable vulnerability.

As such, I think we can open this bug publicly and push a patch to improve this into future versions of OpenStack. If you agree to make the issue public, I'll open this bug unless someone objects.

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Bin Hou (binhou) wrote on 2013-11-04:

I am fine to make the issue public and make improvments in future release

Jeremy Stanley (fungi) on 2013-11-12

information type:	Private Security → Public
Changed in ossa:
status:	Incomplete → Invalid
tags:	added: security

Russell Bryant (russellb) on 2014-02-07

Changed in nova:
importance:	Undecided → Wishlist
status:	New → Confirmed

Cale Rath (ctrath) on 2015-08-05

Changed in nova:
assignee:	nobody → Cale Rath (ctrath)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-06: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/210092

Changed in nova:
status:	Confirmed → In Progress

OpenStack Infra (hudson-openstack) on 2015-08-07

Changed in nova:
assignee:	Cale Rath (ctrath) → Alexis Lee (alexisl)

OpenStack Infra (hudson-openstack) on 2015-08-12

Changed in nova:
assignee:	Alexis Lee (alexisl) → Cale Rath (ctrath)

Revision history for this message

stgleb (gstepanov) wrote on 2016-03-30:

Cale Rath, are you still working on this patch?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-04: Change abandoned on nova (master)

Change abandoned by Matt Riedemann (<email address hidden>) on branch: master
Review: https://review.openstack.org/210092

Revision history for this message

Markus Zoeller (markus_z) (mzoeller) wrote on 2016-08-11:

Cleanup
=======

There are no open reviews for this bug report since more than 2 weeks.
To signal that to other contributors which might provide patches for
this bug, I switch the status from "In Progress" to "Confirmed" and
remove the assignee.
Feel free to add yourself as assignee and to push a review for it.

Changed in nova:
status:	In Progress → Confirmed
assignee:	Cale Rath (ctrath) → nobody

Revision history for this message

Sean Dague (sdague) wrote on 2017-06-14:

There is really very low exposure here

Changed in nova:
status:	Confirmed → Opinion

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.