VMWare and HTTP stores do not verify HTTPS Connections as they use httplib.HTTPSConnection

Bug #1436082 reported by Ian Cordasco on 2015-03-24
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Notes
Undecided
Grant Murphy
glance_store
High
Ian Cordasco

Bug Description

VMWare store: https://github.com/openstack/glance_store/blob/ea88e503b617a7ac9a0ae7e537d6517e9992a104/glance_store/_drivers/vmware_datastore.py#L501 (_get_conn_class above uses simply httplib.HTTPSConnection).

HTTP Store: https://github.com/openstack/glance_store/blob/master/glance_store/_drivers/http.py#L179

This leaves both stores open to man-in-the-middle attacks while transferring image data.

CVE References

Ian Cordasco (icordasc) wrote :

The tests are failing right now because of mocks relying on httplib for testing, but this should be functionally equivalent to the current behaviour.

Changed in glance-store:
assignee: nobody → Ian Cordasco (icordasc)
Ian Cordasco (icordasc) wrote :

This patch has some bugs. I'm working on a follow-up.

Ian Cordasco (icordasc) wrote :

Attached is the latest update + test fixes. I'll tackle fixing the VMWare store soon too.

Ian Cordasco (icordasc) wrote :

I just added the OpenStack VMT because it appears they weren't already subscribed to changes here.

Changed in glance-store:
status: New → In Progress
importance: Undecided → Critical
Jeremy Stanley (fungi) wrote :

Is this client-facing, or another case of bug 1188189?

Ian Cordasco (icordasc) wrote :

Looks like it's another case of bug 18188189.

Jeremy Stanley (fungi) wrote :

In that case, there's no need to keep the bug marked private, and it can just be fixed publicly through the normal code review process. The VMT isn't issuing any advisories for server-to-server or server-to-backend communication security hardening measures until the situation across those projects improves to the point where we actually think we've adequately secured this traffic against malicious actors on internal management networks by default.

Ian Cordasco (icordasc) on 2015-03-27
Changed in glance-store:
importance: Critical → High
information type: Private Security → Public Security
Jeremy Stanley (fungi) on 2015-03-27
information type: Public Security → Public
tags: added: security
Ian Cordasco (icordasc) wrote :

See https://review.openstack.org/#/c/168507 for the HTTP Store and https://review.openstack.org/168540 for the VMWare Store.

Ian Cordasco (icordasc) on 2015-06-12
Changed in ossn:
assignee: nobody → Ian Cordasco (icordasc)
status: New → In Progress
Changed in ossn:
assignee: Ian Cordasco (icordasc) → nobody
assignee: nobody → Grant Murphy (gmurphy)
Jamie Finnigan (jamiefinnigan) wrote :

Previous OSSN regarding httplib.HTTPSConnection at https://wiki.openstack.org/wiki/OSSN/OSSN-0033.

Grant Murphy (gmurphy) on 2015-09-02
Changed in ossn:
status: In Progress → Fix Committed
Robert Clark (robert-clark) wrote :

Grant - can you add a link to the review for this OSSN please - the 'fixed by' feature for cross posting from Gerrit to LP isn't working for some reason.

Nathan Kinder (nkinder) wrote :

The published version of OSSN-0033 has been updated with the new bug references:

  https://wiki.openstack.org/wiki/OSSN/OSSN-0033

Changed in ossn:
status: Fix Committed → Fix Released

Change abandoned by Glance Bot (<email address hidden>) on branch: master
Review: https://review.openstack.org/168507

tags: added: spec-lite
Flavio Percoco (flaper87) wrote :

This was discussed in the driver's meeting on Dec 15th and it was approved as a spec lite

Reviewed: https://review.openstack.org/168507
Committed: https://git.openstack.org/cgit/openstack/glance_store/commit/?id=2572ea1410d4cb02b65f5791681d4d8e54adc67c
Submitter: Jenkins
Branch: master

commit 2572ea1410d4cb02b65f5791681d4d8e54adc67c
Author: Ian Cordasco <email address hidden>
Date: Fri Mar 27 17:49:36 2015 -0500

    Switch HTTP store to using requests

    Previously the HTTP store was using httplib and specifically unverified
    HTTPS connections to download data about images. By switching to using
    requests, we will get several benefits:

    1. Certificate verification when using HTTPS
    2. Connection pooling when following redirects
    3. Help handling redirects

    Closes-bug: 1263067
    Partial-bug: 1436082
    Implements: blueprint http-store-on-requests

    Co-Authored-By: Sabari Kumar Murugesan <email address hidden>

    Change-Id: Ib114919c1e1361ba64fe9e8382e1a2c39dbb3271

Reviewed: https://review.openstack.org/168540
Committed: https://git.openstack.org/cgit/openstack/glance_store/commit/?id=91636e8b85de680ea1347b60b1c2a27022c0f26f
Submitter: Jenkins
Branch: master

commit 91636e8b85de680ea1347b60b1c2a27022c0f26f
Author: Ian Cordasco <email address hidden>
Date: Fri Mar 27 21:18:42 2015 -0500

    Switch VMWare Datastore to use Requests

    Previously the VMWare Datastore was using HTTPS Connections from httplib
    which do not verify the connection. Switching to requests allows the
    store to perform proper connection level verification for a secure
    connection. By switching to using requests, we will get several
    benefits:

    1. Certificate verification when using HTTPS
    2. Connection pooling when following redirects
    3. Help handling redirects
    4. Help with Chunked Encoding

    Partial-bug: 1436082

    Co-authored-by: Sabari Kumar Murugesan <email address hidden>

    Change-Id: I8ff20b2f6bd0e05cd50e44a60ec89fd54f87e1b4

Kairat Kushaev (kkushaev) wrote :

Fix released in glance_store 0.11.0

Changed in glance-store:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers