scaleio connector disables HTTPS certificate validation

Bug #1929223 reported by Eric Harney
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
os-brick
Fix Released
High
Oleg Nesterenkov

Bug Description

A number of methods in the scaleio connector (connect_volume, disconnect_volume, and others) disable HTTPS cert validation via the requests.get() call by specifying verify=False.

These should enable certificate validation (like the PowerFlex Cinder driver does) when the "driver_ssl_cert_verify" and "driver_ssl_cert_path" options are set in Cinder.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Since os-brick isn't on the list of deliverables overseen by the OpenStack VMT ( https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html ) I'm responding only in an advisory capacity.

In the past we've considered lack of SSL certificate verification to be a security hardening opportunity. Given that historically many inter-service connections, and particularly driver backends to commercial devices, lacked an easy means of enabling transport layer encryption at all or in cases where they did, were not easy for operators to replace the default/embedded self-signed certificates they shipped with, forcing this on by default often made integration very difficult for end users. The situation has improved in recent years, and so user expectations are probably shifting toward a default connection security stance, but I don't think this warrants a widespread advisory and can likely be fixed in public since there are doubtless many other drivers still in the same situation, and this is a generally well-known shortcoming.

Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

I agree with Jeremy's assessment that this can be fixed in public. If you disagree, please say so before Friday 18 June 23:59 UTC. If we want to keep it private, the clock is ticking (embargo can last at most 90 days, and we've already used 30).

Revision history for this message
Sean McGinnis (sean-mcginnis) wrote :

I agree as well. I think this can be done openly, as a good example of hardening inter-service calls.

Revision history for this message
Gorka Eguileor (gorka) wrote :

+1 to fixing it in public.

Revision history for this message
Walt Boring (walter-boring) wrote :

+1 with public

Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

Thanks for the feedback, everyone. I'll make this a public security bug.

information type: Private Security → Public Security
tags: added: drivers scaleio
Changed in os-brick:
importance: Undecided → High
Revision history for this message
Ivan Pchelintsev (pcheli) wrote :

Hi,
maybe this issue can be resolved just by including ssl verification flag/path to certificate into a connection properties dict in Cinder driver.

Changed in os-brick:
assignee: nobody → Oleg Nesterenkov (olegnest)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-brick (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/os-brick/+/810419

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-brick (master)

Reviewed: https://review.opendev.org/c/openstack/os-brick/+/810419
Committed: https://opendev.org/openstack/os-brick/commit/adde4de38d3bee0e3e3fa9c94de647b28d53a2a8
Submitter: "Zuul (22348)"
Branch: master

commit adde4de38d3bee0e3e3fa9c94de647b28d53a2a8
Author: olegnest <email address hidden>
Date: Wed Sep 22 15:27:36 2021 +0300

    Fix PowerFlex connector HTTPS certificate validation

    Closes-Bug: #1929223

    Change-Id: Ia73c391d2fafde119e0bb4914c30b48b4300e330

Changed in os-brick:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/os-brick 5.2.0

This issue was fixed in the openstack/os-brick 5.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 20.0.1

This issue was fixed in the openstack/cinder 20.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 21.0.0.0rc1

This issue was fixed in the openstack/cinder 21.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.