-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Glance image signature uses an insecure hash algorithm (MD5) - ---
### Summary ### During the Liberty release the Glance project added a feature that supports verifying images by their signature. There is a flaw in the implementation that degrades verification by using the weak MD5 algorithm. ### Affected Services / Software ### Glance, Liberty ### Discussion ### A signature algorithm is typically created by hashing data and then encrypting that hash in some way. In the case of the new Glance feature the signature algorithm does not hash the image to be verified. It rehashes the existing MD5 checksum that is used to locally verify the integrity of image data stored in Glance. The Glance image signature algorithm uses configurable hash algorithms. No matter which algorithm is used, the overall security of the algorithm is degraded to that of MD5 because instead of applying it to the image data it's applied only to the MD5 checksum that already exists in Glance. The image signature algorithm is a relatively new feature, introduced in the Liberty release. ### Recommended Actions ### Users concerned with image security should be aware that the current Glance signature algorithm is not secure by todays cryptographic standards. A specification for a fix has been proposed by the Glance development team and is targeted for the Mitaka release. ### Contacts / References ### This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0061 Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1516031 OpenStack Security ML : [email protected] OpenStack Security Group : https://launchpad.net/~openstack-ossg Glance Spec for fix : https://review.openstack.org/#/c/252462/ CVE : CVE-2015-8234 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWcJc4AAoJEJa+6E7Ri+EVFxwH/iApFofrK5anq9+fZY/hSDFj L0X1zg53IiuLbIWV49LSclF8+M3iOGPcDz/oRxjNB0COJH3HplIAFL/ZKjVxRzlz FrTCwualnXiCI9hr+m7VJgZku2WlUGmxA0RhP9MFQIJ2OEZQixGYXAGxscwycV/6 L2qJcNRKIerX2CcjXPq6ho96HeYYH1bXgOzgtaE0JiqzWPA3vZY3cq+R5vzNbBu+ uvk9YK4L+Jb+tcLUMSfAk7spVuZFGVg9tnw+UxQN3fMwHDICUyAvCvqA6frYa3Zb UWJ6p4jZJOnNTIzo+j9EqzM1mvnCQaMIS1c8z4QJXnzxQ0SE8wEgwtdMXZFbE30= =VLyB -----END PGP SIGNATURE----- _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
