Trusted Filter uses unsafe SSL connection

Bug #1373993 reported by Sean Dague on 2014-09-25
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Critical
Sylvain Bauza
Icehouse
Critical
Yaguang Tang

Bug Description

HTTPSClientAuthConnection uses httplib.HTTPSConnection objects. In Python 2.x those do not perform CA checks so client connections are vulnerable to MiM attacks.

This should be changed to use the requests lib.

Sean Dague (sdague) wrote :
Changed in nova:
status: New → Triaged
importance: Undecided → Critical
tags: added: scheduler
Changed in nova:
assignee: nobody → Sylvain Bauza (sylvain-bauza)

Fix proposed to branch: master
Review: https://review.openstack.org/124714

Changed in nova:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/124714
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=30871e8702737edbbfbcbbb5f21858873b37685c
Submitter: Jenkins
Branch: master

commit 30871e8702737edbbfbcbbb5f21858873b37685c
Author: Sylvain Bauza <email address hidden>
Date: Mon Sep 29 13:33:50 2014 +0200

    Fix unsafe SSL connection on TrustedFilter

    TrustedFilter was using httplib which doesn't check for CAs.
    Here the change is using Requests and verifies local CAs by default (or another
    one if provided)
    This effort is related to CVE 2013-2255.

    SecurityImpact

    Closes-Bug: #1373993

    Change-Id: I0b8e6319a4cc39876b1e396ef705f0fc5def1e44

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2014-10-07
tags: added: juno-rc-potential
Thierry Carrez (ttx) on 2014-10-07
Changed in nova:
milestone: none → juno-rc2
Thierry Carrez (ttx) on 2014-10-07
tags: removed: juno-rc-potential

Reviewed: https://review.openstack.org/126137
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=cc88417637e4967860619e8d7e43f5d28957fcda
Submitter: Jenkins
Branch: proposed/juno

commit cc88417637e4967860619e8d7e43f5d28957fcda
Author: Sylvain Bauza <email address hidden>
Date: Mon Sep 29 13:33:50 2014 +0200

    Fix unsafe SSL connection on TrustedFilter

    TrustedFilter was using httplib which doesn't check for CAs.
    Here the change is using Requests and verifies local CAs by default (or another
    one if provided)
    This effort is related to CVE 2013-2255.

    SecurityImpact

    Closes-Bug: #1373993

    Change-Id: I0b8e6319a4cc39876b1e396ef705f0fc5def1e44
    (cherry picked from commit 30871e8702737edbbfbcbbb5f21858873b37685c)

Thierry Carrez (ttx) on 2014-10-07
Changed in nova:
status: Fix Committed → Fix Released
Yaguang Tang (heut2008) on 2014-10-09
tags: added: icehouse-backport-potential
Thierry Carrez (ttx) on 2014-10-16
Changed in nova:
milestone: juno-rc2 → 2014.2
Download full text (7.7 KiB)

Reviewed: https://review.openstack.org/128894
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9825784742d010a902ff149765269ad32a8a0dfd
Submitter: Jenkins
Branch: master

commit 7c9aa6da92805f20083203a6ec8f93b1b592fc13
Author: He Jie Xu <email address hidden>
Date: Sun Oct 5 00:20:01 2014 +0800

    Fix pci_request_id break the upgrade from icehouse to juno

    commit a8a5d44c8aca218f00649232c2b8a46aee59b77e add pci_request_id
    as one item for the request_network tuple. But the icehouse code
    assume only three items in the tuple.

    This patch filters pci_request_id out from the tuple.

    Cherry-Pick from:
    https://review.openstack.org/#/c/126144/6

    Change-Id: I991e1c68324fe92fac647583f3ec8f6aec637913
    Closes-Bug: #1377447

commit 10a5eecd0973096b57efd31f8b27d7295a44ab89
Author: Andreas Jaeger <email address hidden>
Date: Thu Oct 9 12:22:36 2014 +0200

    Updated translations

    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_file nova

    Change-Id: I64b2b468f7edd44dbb445b5b4e68b65c3fa53d9e

commit 3f9003270efd9ac036f3c229b36baa0bb05203bf
Author: Russell Bryant <email address hidden>
Date: Wed Oct 8 12:14:31 2014 +0000

    Fix broken cert revocation

    Cert revocation was broken by
    32b0adb591f80ad2c5c19519b4ffc2b55dbea672. os.chdir() never returns
    anything, so this method would always raise an exception. The proper
    way to handle an error from os.chdir() is to catch OSError.

    There were existing tests for this code, but they conveniently mocked
    os.chdir() to return values that are never actually returned. The
    tests were fixed to match the real behavior.

    Change-Id: I7549bb60a7d43d53d6f81eecea31cbb9720cc8b6
    Closes-bug: #1376368
    (cherry picked from commit c8538208da00c3b0d0646629c9d668aa69944b85)

commit 6ed57972093835f449ad645b3783bbb8b3c4245e
Author: Russell Bryant <email address hidden>
Date: Fri Oct 3 16:41:03 2014 -0400

    Update rpc version aliases for juno

    Update all of the rpc client API classes to include a version alias
    for the latest version implemented in Juno. This alias is needed when
    doing rolling upgrades from Juno to Kilo. With this in place, you can
    ensure all services only send messages that both Juno and Kilo will
    understand.

    Closes-bug: #1378786
    Change-Id: Ia81538130bf8530b70b5f55c7a3d565903ff54b4
    (cherry picked from commit f98d725103c53e767a1cddb0b7e2c3822309db17)

commit ee3594072a7ef1c3f5661021fb31118069cbd646
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:53:42 2014 +0000

    Mask passwords in exceptions and error messages

    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a u...

Read more...

Reviewed: https://review.openstack.org/127203
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=d7c8e936f373695580721f418e3eea7a31c00ea1
Submitter: Jenkins
Branch: stable/icehouse

commit d7c8e936f373695580721f418e3eea7a31c00ea1
Author: Sylvain Bauza <email address hidden>
Date: Mon Sep 29 13:33:50 2014 +0200

    Fix unsafe SSL connection on TrustedFilter

    TrustedFilter was using httplib which doesn't check for CAs.
    Here the change is using Requests and verifies local CAs by default (or another
    one if provided)
    This effort is related to CVE 2013-2255.
    SecurityImpact

    ReleaseNote
    This patch adds an option attestation_insecure_ssl in TrustedFilter which can be
    used to verify CAs. The default value is set to True, disabling SSL certificate
    verification. While this is the insecure option, it was selected for backward
    compatibility reasons.

    Closes-Bug: #1373993
    (cherry picked from commit 30871e8702737edbbfbcbbb5f21858873b37685c)

    Conflicts:
     nova/tests/scheduler/test_host_filters.py

    Change-Id: I0b8e6319a4cc39876b1e396ef705f0fc5def1e44

tags: added: in-stable-icehouse
Alan Pevec (apevec) on 2015-03-13
tags: removed: icehouse-backport-potential in-stable-icehouse
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers