I like your vulnerability details, though there are a couple of small comments I'd like to make:
- "user could gain control of volumes" ==> It's more like they can gain read/write access to the volumes, but not control, because they cannot delete the volumes, take snapshots, etc.
- "the scope of exposed images" ==> This may be misleading, because when I hear the word "images" in the context of OpenStack I think of Glance images, not Cinder volumes.
- I feel like we are singling out Pure as the only affected FCP driver just because that's the one I could get my hands on. Maybe we can rephrase it:
- Drivers using FCP will be affected unless the array sends the "Power-on Reset" SCSI Sense code when mapping the volume. In our limited testings only a 3PAR array sent it, but this doesn't mean that all 3PARs will do.
Hi Nick,
I like your vulnerability details, though there are a couple of small comments I'd like to make:
- "user could gain control of volumes" ==> It's more like they can gain read/write access to the volumes, but not control, because they cannot delete the volumes, take snapshots, etc.
- "the scope of exposed images" ==> This may be misleading, because when I hear the word "images" in the context of OpenStack I think of Glance images, not Cinder volumes.
- I feel like we are singling out Pure as the only affected FCP driver just because that's the one I could get my hands on. Maybe we can rephrase it:
- Drivers using FCP will be affected unless the array sends the "Power-on Reset" SCSI Sense code when mapping the volume. In our limited testings only a 3PAR array sent it, but this doesn't mean that all 3PARs will do.
Cheers,
Gorka.