shuffle method bring potential security issue
Bug #1246160 reported by
Bin Hou
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Opinion
|
Wishlist
|
Unassigned | ||
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned |
Bug Description
In the /nova/utils.py, line 328, the source code is below
This code is using shuffle method to generate a random number, Standard random number generators should not be used to generate randomness used for security reasons. For security sensitive randomness a crytographic randomness generator that provides sufficient entropy should be used.
information type: | Private Security → Public |
Changed in ossa: | |
status: | Incomplete → Invalid |
tags: | added: security |
Changed in nova: | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |
Changed in nova: | |
assignee: | nobody → Cale Rath (ctrath) |
Changed in nova: | |
assignee: | Cale Rath (ctrath) → Alexis Lee (alexisl) |
Changed in nova: | |
assignee: | Alexis Lee (alexisl) → Cale Rath (ctrath) |
To post a comment you must log in.
While I agree that using a more random RNG in this case makes sense, I don't think its use in this particular instance would trigger a practically exploitable vulnerability.
As such, I think we can open this bug publicly and push a patch to improve this into future versions of OpenStack. If you agree to make the issue public, I'll open this bug unless someone objects.