Juju uses http to contact uec-images.ubuntu.com

Bug #965507 reported by Clint Byrum
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pyjuju
Fix Released
High
Clint Byrum
juju (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Unassigned

Bug Description

The AMI to use for spawning machines is determined by querying
uec-images.ubuntu.com. A malicious attacker could use a DNS spoof attack
to cause the 'bootstrap' to spawn their compromised AMI instead of the
official Ubuntu AMI's. Also the URL has been chagned from 'uec-images'
to 'cloud-images' upstream, as the UEC product is now just 'Ubuntu Cloud'.

Related branches

Changed in juju:
assignee: nobody → Clint Byrum (clint-fewbar)
milestone: none → honolulu
status: New → In Progress
security vulnerability: no → yes
Changed in juju (Ubuntu):
status: New → Triaged
Changed in juju:
importance: Undecided → High
Changed in juju (Ubuntu):
importance: Undecided → High
Changed in juju:
milestone: honolulu → florence
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

So, changing to an https url only solves the problem halfway. It turns out twisted's web client does not verify certs. That is also a problem for the backend charm store (https://store.juju.ubuntu.com). I am expanding this bug then, to include that url as well and clarifying the title to represent the true nature of the problem.

txaws includes twisted code to verify the certs on Ubuntu systems, so I will add that. This may mean that the client breaks on other systems such as OS X since OS X will not have its CA certificates in /etc/ssl.

Changed in juju:
status: In Progress → Fix Released
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Re: [Bug 965507] Re: Juju uses http to contact uec-images.ubuntu.com

Excerpts from Clint Byrum's message of Mon Mar 26 21:18:45 UTC 2012:
> So, changing to an https url only solves the problem halfway. It turns
> out twisted's web client does not verify certs. That is also a problem
> for the backend charm store (https://store.juju.ubuntu.com). I am
> expanding this bug then, to include that url as well and clarifying the
> title to represent the true nature of the problem.
>
> txaws includes twisted code to verify the certs on Ubuntu systems, so I
> will add that. This may mean that the client breaks on other systems
> such as OS X since OS X will not have its CA certificates in /etc/ssl.

FYI, the bug for verifying certs is bug #781949

Changed in juju (Ubuntu Precise):
milestone: none → ubuntu-12.04
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package juju - 0.5+bzr504-0ubuntu1

---------------
juju (0.5+bzr504-0ubuntu1) precise; urgency=low

  * New upstream snapshot (LP: #962507 LP: #953258 LP: #965507).
  * d/control: Depend and Build-Depend on python-oauth for MaaS.
  * d/control: Drop dummy ensemble package and make breaks/replaces
    broader to force removal of any ensemble package. (LP: #954492)
  * d/control: Move lxc, libvirt-bin, and zookeeper to Suggests to
    reduce the amount of packages installed on every node unecessarily
    and also avoid conflicting when deploying into a libvirt-bin
    default network VM (LP: #962389)
  * d/rules: skip test suite when nocheck is set.
  * d/rules: remove redundant dh_clean call
  * d/juju.install: remove usr, with only one binary package this is
    not necessary anymore and causes dh_install to fail because no
    files are installed to debian/tmp anymore.
  * d/rules,d/control,d/manpages,d/juju.manpages: Generate basic
    manpage from online help. (LP: #966611)
  * d/patches/no-write-sample-on-help.patch: Added so --help can be
    safely run without a writable home dir on buildds. (LP: #957682)
 -- Clint Byrum <email address hidden> Fri, 30 Mar 2012 15:28:16 -0700

Changed in juju (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers