Private key `vtep-privkey.pem` resides in ansible files directory for
open-contrail role in Compass4NFV.
---

Date: Sep 21, 2016

CVE #: Pending

### Affects ###

Brahmaputra release.

### Description ###

A private key ‘vtep-privkey.pem’ was discovered in the ansible role for
open-contrail in Compass4NFV project folders. With this key being in the
public domain (git repository), if implemented by a user it could result
in man-in-the-middle type attacks between the Open vSwitch Database
(OVSDB) and Tor (top of the rack) switch.

### Patches ###

https://gerrit.opnfv.org/gerrit/#/c/21997 master branch
https://gerrit.opnfv.org/gerrit/#/c/22007 stable/brahmaputra

### Steps to patch ###

#### Brahmaputra ####

Users of Brahmaputra should follow the steps outlined below to patch
this issue.

1. Update compass4nfv code

If you don't have local compass4nfv code, then directly get latest
brahmaputra branch code.

$ git clone https://git.opnfv.org/cgit/compass4nfv/
$ git checkout remotes/origin/stable/brahmaputra

If you have local compass4nfv code, change to compass4nfv code directory
and perform:

$ git branch --set-upstream-to=origin/stable/brahmaputra stable/brahmaputra
$ git pull

or

$ rm -rf deploy/adapters/ansible/roles/open-contrail/files/provision

2. Follow the installation guide [1] to deploy openstack (Skip if you
already deployed openstack)

3. Clean vtep-privkey.pem key in compass-core

ssh login to compass-core(192.168.200.2) as root, and then run below
command:

# find / -name vtep-privkey.pem | xargs rm

#### Colorado ####

No action is required for Colorado release users, as the fix has been
applied directly into the master branch pre-release.

### Contact and References ###

Reported by: Luke Hinds, Red Hat
Contact: opnfv-secur...@lists.opnfv.org
This Advisory: https://wiki.opnfv.org/pages/viewpage.action?pageId=7768349
[1]
http://artifacts.opnfv.org/compass4nfv/brahmaputra/docs/configguide/index.html
http://www.juniper.net/techpubs/en_US/junos16.1/topics/task/installation/sdn-ovsdb-ssl-files-installing.html


Attachment: 0x3C202614.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Reply via email to