glance requires md5 implementation be available
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
High
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Glance populates a legacy 'checksum' image property which is an md5 hash of image data content. It's a "legacy" property because it has not been required for the validation of downloaded image data since glance version 17.0.0 (Rocky) when the operator-
To remove the dependency on the insecure MD5 algorithm, glance should stop populating the legacy 'checksum' field. It has already been made redundant by the secure "multihash" and is unnecessary. In order to preserve backward compatibility, the field will not be removed.
As a timeframe for fixing this: an announcement can be made to operators as part of the Ussuri release, and code using md5 will be removed during the Victoria development cycle. Thus the Victoria release will not require Glance to be executed in a non-compliant security environment.
Given this is only being fixed in master, and is also not in itself a vulnerability, I don't think we'll need a formal security advisory and CVE assignment. This is probably most accurately classified as a security hardening opportunity (report class D in the VMT's taxonomy): https:/ /security. openstack. org/vmt- process. html#incident- report- taxonomy