Bug #1516027 “NeutronMetadataProxySharedSecret isn't set” : Bugs : tripleo

Revision history for this message

Dougal Matthews (d0ugal) wrote on 2015-11-13:

#1

Potential fix. Edit (8.8 KiB, text/plain)

Dougal Matthews (d0ugal) on 2015-11-13

summary:

- Security bug: NeutronMetadataProxySharedSecret isn't set
+ NeutronMetadataProxySharedSecret isn't set

Dougal Matthews (d0ugal) on 2015-11-17

Changed in tripleo:
assignee:	nobody → Dougal Matthews (d0ugal)

Revision history for this message

Dan Prince (dan-prince) wrote on 2015-12-01:

#2

Looks good to me.

Revision history for this message

Steven Hardy (shardy) wrote on 2015-12-01:

#3

Not quite sure why NeutronVniRanges have moved, but that's a nit, looks good to me.

Dan Prince (dan-prince) on 2015-12-08

information type:

Private Security → Public

OpenStack Infra (hudson-openstack) on 2015-12-08

Changed in tripleo:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-14: Fix merged to python-tripleoclient (master)

#4

Reviewed: https://review.openstack.org/254857
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=071968841692bffdd44c0eb34bf01df0e291d6b3
Submitter: Jenkins
Branch: master

commit 071968841692bffdd44c0eb34bf01df0e291d6b3
Author: Dougal Matthews <email address hidden>
Date: Tue Dec 8 16:40:39 2015 +0000

Set NeutronMetadataProxySharedSecret

This patch uses the standard password generation functionality to
randomly set the NeutronMetadataProxySharedSecret parameter.

    Without this parameter, Neutron has a blank value for it's shared
    secret. This value is used to to prevent spoofing, thus the
    default value of "unset" is bad. This exposes a potential attack
    vector.

Closes-Bug: #1516027
Change-Id: Ifb34b43fdedc55ad220df358c3ccc31e3c2e7c14

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-23: Related fix merged to tripleo-heat-templates (master)

#5

Reviewed: https://review.openstack.org/255423
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=293f19b2a41386e1eea47a9e6add24b006c69c42
Submitter: Jenkins
Branch: master

commit 293f19b2a41386e1eea47a9e6add24b006c69c42
Author: Steven Hardy <email address hidden>
Date: Wed Dec 9 18:23:08 2015 +0000

Remove unsafe "unset" defaults

    All of our sensitive parameters are defaulted to easily predictable
    values, which is very bad from a security perspective because we don't
    force clients to make sane choices thus risk deploying with the
    predictable default values. tripleoclient supports generating random
    values for all of these, so remove the defaults, for non-tripleoclient
    usage we can create a developer-only environment with defaults.

    Related-Bug: #1516027
    Change-Id: Ia0cf3b7e2de1aa42cf179cba195fb7770a1fc21c
    Depends-On: Ifb34b43fdedc55ad220df358c3ccc31e3c2e7c14

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-15: Fix proposed to python-tripleoclient (stable/liberty)

#6

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/268131

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-29: Fix merged to python-tripleoclient (stable/liberty)

#7

Reviewed: https://review.openstack.org/268131
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=521dfbe91bdb7db483d861b8d62e0821d6f16ada
Submitter: Jenkins
Branch: stable/liberty

commit 521dfbe91bdb7db483d861b8d62e0821d6f16ada
Author: Dougal Matthews <email address hidden>
Date: Tue Dec 8 16:40:39 2015 +0000

Set NeutronMetadataProxySharedSecret

This patch uses the standard password generation functionality to
randomly set the NeutronMetadataProxySharedSecret parameter.

    Without this parameter, Neutron has a blank value for it's shared
    secret. This value is used to to prevent spoofing, thus the
    default value of "unset" is bad. This exposes a potential attack
    vector.

    Closes-Bug: #1516027
    Change-Id: Ifb34b43fdedc55ad220df358c3ccc31e3c2e7c14
    (cherry picked from commit 071968841692bffdd44c0eb34bf01df0e291d6b3)

tags:

added: in-stable-liberty

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-03: Related fix proposed to tripleo-heat-templates (stable/liberty)

#8

Related fix proposed to branch: stable/liberty
Review: https://review.openstack.org/288057

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-07: Related fix merged to tripleo-heat-templates (stable/liberty)

#9

Reviewed: https://review.openstack.org/288057
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1a0c7d97165c1b38dc9f78b82ac6ec8519fcf80c
Submitter: Jenkins
Branch: stable/liberty

commit 1a0c7d97165c1b38dc9f78b82ac6ec8519fcf80c
Author: Steven Hardy <email address hidden>
Date: Wed Dec 9 18:23:08 2015 +0000

Remove unsafe "unset" defaults

    All of our sensitive parameters are defaulted to easily predictable
    values, which is very bad from a security perspective because we don't
    force clients to make sane choices thus risk deploying with the
    predictable default values. tripleoclient supports generating random
    values for all of these, so remove the defaults, for non-tripleoclient
    usage we can create a developer-only environment with defaults.

    Related-Bug: #1516027
    Change-Id: Ia0cf3b7e2de1aa42cf179cba195fb7770a1fc21c
    Depends-On: Ifb34b43fdedc55ad220df358c3ccc31e3c2e7c14
    (cherry picked from commit 293f19b2a41386e1eea47a9e6add24b006c69c42)

tripleo

NeutronMetadataProxySharedSecret isn't set

Bug Description

Other bug subscribers

Patches

Remote bug watches