Nova and Cinder key manager for Barbican misuses cached credentials
---
### Summary ###
During the Icehouse release the Cinder and Nova projects added a feature
that supports storage volume encryption using keys stored in Barbican.
The Barbican key manager, that is part of Nova and Cinder, had a
looks to me like OSSN-0056 was written during a mid-cycle and could be
> the right one.
>
>
>
> I’m struggling to work out the story behind OSSN-0050 – I’m adding
> Nathan Kinder who might be able to shed more light on this.
It looks like that one was added to the wiki b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Glance image signature uses an insecure hash algorithm (MD5)
- ---
### Summary ###
During the Liberty release the Glance project added a feature that
supports verifying images by their signature. There is a flaw in the
implementation that degrades
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Potential reuse of revoked Identity tokens
- ---
### Summary ###
An authorization token issued by the Identity service can be revoked,
which is designed to immediately make that token invalid for future use.
When the PKI or PKIZ token providers are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Trusted VM can be powered on untrusted hosts
- ---
### Summary ###
A trusted VM that has been launched earlier on a trusted host can
still be powered on from the same host even after the trusted host is
compromised.
### Affected Services /
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
DoS attack on Glance service can lead to interruption or disruption
- ---
### Summary ###
The typical Glance workflow allows authenticated users to create an
image and upload the image content in a separate step. This can be
abused by malicious
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Keystone token disclosure may result in malicious trust creation
- ---
### Summary ###
Keystone tokens are the foundation of authentication and authorization
in OpenStack. When a service node is compromised, it is possible that
an attacker would
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Python-swiftclient exposes raw token values in debug logs
- ---
### Summary ###
The password and authentication token configuration options for the
python-swiftclient are not marked as secret. The values of these options
will be logged to the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Service accounts may have cloud admin privileges
- ---
### Summary ###
OpenStack services (for example Nova and Glance) typically use a
service account in Keystone to perform actions. In some cases this
service account has full admin privileges,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Potential Denial of Service in Horizon login
- ---
### Summary ###
Horizon uses the Python based Django web framework. Older versions of
this framework allow an unauthorized user to fill up the session store
database causing a Horizon denial of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes
- ---
### Summary ###
When using the LVMISCSIDriver with Cinder, the credentials for CHAP
authentication are not formatted correctly in the tgtadm configuration
file. This
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Cached keystone tokens may be accepted after revocation
- ---
### Summary ###
Keystone auth_token middleware token and revocation list caching is used
to reduce the load on the keystone service. The default token cache time
is set to 300 seconds
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Nova ironic driver logs sensitive information while operating in debug
mode
- ---
### Summary ###
The password and authentication token configuration options for the
ironic driver in nova are not marked as secret. The values of these
options will be
On 06/15/2015 09:16 AM, McPeak, Travis wrote:
I¹d like to propose Michael McCune for CoreSec membership.
I¹ve worked with Michael (elmiko) on numerous security tasks and
bugs, and he has a great grasp on security concepts and is very active
in the OpenStack security community. I think he
On 06/16/2015 02:28 AM, Clark, Robert Graham wrote:
I’d like to nominate Travis for a CoreSec position as part of the
Security project. - CoreSec team members support the VMT with extended
consultation on externally reported vulnerabilities.
Travis has been an active member of the
On 05/19/2015 05:20 PM, Dillon, Nathaniel wrote:
To the Security and Docs groups as well as other interested parties,
I would like to nominate Mike McCune to the Security Guide core. He has been
contributing to the Security Guide for about six months now, and he has been
a consistent
Setting services to debug mode can also set Pecan to debug
---
### Summary ###
When debug mode is set for a service using Pecan (via --debug or
CONF.debug=True) Pecan is also set to debug. This can result in
accidental information disclosures.
### Affected Services / Software ###
Blazar,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Glance method filtering does not work under certain conditions
- ---
### Summary ###
Glance is using the Python assert statement for validating the HTTP
method type in its caching middleware for some image endpoints. The
Python documentation states
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Keystone does not validate that identity providers match federation
mappings
- ---
### Summary ###
Keystone's OS-FEDERATION extension does not enforce a link between an
identity provider and a federation mapping. This can lead to assertions
or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Vulnerable clients allow a TLS protocol downgrade (FREAK)
- ---
### Summary ###
Some client-side libraries, including un-patched versions of OpenSSL,
contain a vulnerability which can allow a man-in-the-middle (MITM) to
force a TLS version downgrade.
On 03/05/2015 01:14 PM, Bryan D. Payne wrote:
To security-doc core and other interested parties,
Nathaniel Dillon has been working consistently on the security guide
since our first mid-cycle meet up last summer. In that time he has come
to understand the inner workings of the book and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Older versions of noVNC allow session theft
- ---
### Summary ###
Commonly packaged versions of noVNC allow an attacker to hijack user
sessions even when TLS is enabled. noVNC fails to set the secure flag
when setting cookies containing an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
glibc 'GHOST' vulnerability can allow remote code execution
- ---
### Summary ###
A serious vulnerability in the GNU C library (glibc) gethostbyname*
functions can allow an attacker to perform remote code execution with
the privileges of the
and deployers of OpenStack must not rely on the scope of tokens
to limit what actions can be performed using them.
Concerned users are encouraged to read (OSSG member) Nathan Kinder's
blog post on this issue and some of the potential future solutions.
### Contacts / References ###
Nathan Kinder on Token
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Suds client subject to cache poisoning by local attacker
- ---
### Summary ###
Suds is a Python SOAP client for consuming Web Services. Its default
cache implementation stores pickled objects to a predictable path in
/tmp. This can be used by a local
On 11/16/2014 10:51 AM, David Shrewsbury wrote:
On Nov 16, 2014, at 8:57 AM, Chris K nobody...@gmail.com
mailto:nobody...@gmail.com wrote:
How cute.
maybe we could call him bear-thoven.
Chris
I like Blaze Bearly, lead singer for Ironic Maiden. :)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Possible Glance image exposure via Swift
- ---
### Summary ###
Glance is able to use Swift as a back end for storing virtual machine
images. When Glance is configured this way (in multi-tenant mode only),
it is possible for unauthenticated users to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Configuring OpenStack deployments to prevent POODLE attacks
- ---
### Summary ###
POODLE (CVE-2014-3566) is a new attack on SSLv3 that allows an active
network-based attacker to recover the plaintext from a secure connection
using a CBC-mode cipher.
On 10/18/2014 08:43 AM, lohit.valleru wrote:
Hello,
Thank you for posting this issue to openstack-dev. I had posted this on the
openstack general user list and was waiting for response.
May i know, if we have any progress regarding this issue.
I am trying to use external HTTPD
On 10/16/2014 12:30 PM, Dave Walker wrote:
Hi,
I think I considered the Federated plugin as a mismatch as it dealt
with 'remote' auth rather than 'external' auth. I thought it was for
purely handling SSO / SAML2, and not being subordinate to auth with
the webserver.
I'll dig into the
, but I have no way of
knowing what roles are required to perform a particular action without
consulting the policy.
-NGK
Tim
On Oct 14, 2014, at 1:56 AM, David Chadwick d.w.chadw...@kent.ac.uk wrote:
On 14/10/2014 01:25, Nathan Kinder wrote:
On 10/13/2014 01:17 PM, Morgan
On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
Description of the problem: Without attempting an action on an endpoint with
a current scoped token, it is impossible to know what actions are available
to a user.
Horizon makes some attempts to solve this issue by sourcing all of the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Nova leaks compute host SMBIOS serial number to guests
- ---
### Summary ###
When Nova is using the libvirt virtualization driver, the SMBIOS
serial number supplied by libvirt is provided to the guest instances
that are running on a compute node.
09:58 AM, Nathan Kinder wrote:
Neutron FWaaS rules lack port restrictions when using protocol
'any' ---
### Summary ### A bug in the Neutron FWaaS (Firewall as a Service)
code results in iptables rules being generated that do not reflect
desired port restrictions. This behaviour is triggered
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bash 'shellshock' bug can lead to code injection vulnerability
- ---
### Summary ###
A bug in the GNU Bash shell (4.3 and lower) exposes a code injection
vulnerability via crafted environment variables (Shellshock,
CVE-2014-6271, CVE-2014-7169).
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sensitive data is exposed in log statements by python-keystoneclient
- ---
### Summary ###
Python-keystoneclient is a client tool for the OpenStack Identity API,
which is implemented by the Keystone project. Various OpenStack services
including the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Neutron FWaaS rules lack port restrictions when using protocol 'any'
- ---
### Summary ###
A bug in the Neutron FWaaS (Firewall as a Service) code results in
iptables rules being generated that do not reflect desired port
restrictions. This behaviour
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Neutron ARP cache poisoning vulnerability
- ---
### Summary ###
The Neutron firewall driver 'iptables_firewall' does not prevent ARP
cache poisoning, as this driver is currently only capable of MAC address
and IP address based anti-spoofing rules.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Disassociating floating IPs does not terminate NAT connections with
Neutron L3 agent
- ---
### Summary ###
Every virtual instance is automatically assigned a private IP address.
You may optionally assign public IP addresses to instances. OpenStack
On 09/12/2014 12:46 AM, Angus Lees wrote:
On Thu, 11 Sep 2014 03:21:52 PM Steven Hardy wrote:
On Wed, Sep 10, 2014 at 08:46:45PM -0400, Jamie Lennox wrote:
For service to service communication there are two types.
1) using the user's token like nova-cinder. If this token expires there
is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Unrestricted write permission to config files can allow code execution
- ---
### Summary ###
In numerous places throughout OpenStack projects, variables are read
directly from configuration files and used to construct statements
which are executed
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Keystone logs auth tokens in URLs at the INFO log level
- ---
### Summary ###
When a client accesses Keystone using the Identity API version 2, the
tokens will be logged as part of some request URLs. Specifically all
requests to the tokens resource
On 08/17/2014 09:08 AM, Matt Riedemann wrote:
I'm seeing some nova stable/havana patches failing consistently on
keystone bug 1357652 [1], keystone won't start due to an import error.
I'm not seeing any recent changes for keystone in stable/havana so not
sure if this is an infra issue or
On 08/17/2014 09:18 AM, Nathan Kinder wrote:
On 08/17/2014 09:08 AM, Matt Riedemann wrote:
I'm seeing some nova stable/havana patches failing consistently on
keystone bug 1357652 [1], keystone won't start due to an import error.
I'm not seeing any recent changes for keystone in stable
On 08/17/2014 01:58 PM, Matt Riedemann wrote:
On 8/17/2014 3:36 PM, Alan Pevec wrote:
2014-08-17 22:25 GMT+02:00 Matt Riedemann mrie...@linux.vnet.ibm.com:
The other thing I thought was we could cap the version of
python-keystoneclient in stable/havana, would that be bad?
stable/havana
On 08/17/2014 05:40 PM, Nathan Kinder wrote:
On 08/17/2014 01:58 PM, Matt Riedemann wrote:
On 8/17/2014 3:36 PM, Alan Pevec wrote:
2014-08-17 22:25 GMT+02:00 Matt Riedemann mrie...@linux.vnet.ibm.com:
The other thing I thought was we could cap the version of
python-keystoneclient
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Nova Networking does not enforce security group rules following a soft
reboot of an instance
- ---
### Summary ###
In deployments using Nova Networking, security group rules associated
with an instance may not be enforced after a soft reboot. Nova is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Owners of compromised accounts should verify Keystone trusts
- ---
### Summary ###
The Keystone 'trusts' API allows for delegation of privileges to one
user on behalf of another. This API can allow for an attacker of a
compromised account to set up
Hi,
I've had a few discussions recently related to Keystone trusts with
regards to imposing restrictions on trusts at a deployment level.
Currently, the creator of a trust is able to specify the following
restrictions on the trust at creation time:
- an expiration time for the trust
- the
On 07/22/2014 06:55 PM, Steven Hardy wrote:
On Tue, Jul 22, 2014 at 05:20:44PM -0700, Nathan Kinder wrote:
Hi,
I've had a few discussions recently related to Keystone trusts with
regards to imposing restrictions on trusts at a deployment level.
Currently, the creator of a trust is able
On 07/11/2014 08:43 AM, Morgan Fainberg wrote:
The Keystone team is happy to announce that as of yesterday (July 10th 2014),
with the merge of https://review.openstack.org/#/c/100747/ Keystone is now
gating on Apache + mod_wsgi based deployment. This also has moved the default
for
On 07/01/2014 12:15 PM, Dolph Mathews wrote:
On Tue, Jul 1, 2014 at 11:20 AM, Coles, Alistair alistair.co...@hp.com
mailto:alistair.co...@hp.com wrote:
We have a change [1] under review in Swift to make access control
lists compatible with migration to keystone v3 domains. The
On 07/01/2014 07:48 PM, Robert Collins wrote:
Wearing my HTTP fanatic hat - I think this is actually an important
change to do. Skew like this can cause all sorts of odd behaviours in
client libraries.
+1. The current behavior of inconsistent response codes between the two
recommended
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cinder SSH Pool will auto-accept SSH host signatures by default
- ---
### Summary###
In OpenStack releases prior to Juno, the SSH connection pool used by
Cinder drivers to control SAN hosts will silently auto-accept SSH host
fingerprints. This
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Nova Network configuration allows guest VMs to connect to host services
- ---
### Summary ###
When using Nova Network to manage networking for compute instances,
instances are able to reach network services running on the host
system. This may be a
On 06/25/2014 02:42 PM, Clark, Robert Graham wrote:
Ok, I’ll hack together a dev plugin over the next week or so, other work
notwithstanding. Where possible I’ll probably borrow from the dog tag
plugin as I’ve not looked closely at the plugin infrastructure in Barbican
recently.
My
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Session-fixation vulnerability in Horizon when using the default
signed cookie sessions
- ---
### Summary ###
The default setting in Horizon is to use signed cookies to store
session state on the client side. This creates the possibility that if
an
Hi Tim,
Jamie Lennox (cc'd) has been the main developer working on Kite. I'm
sure he would appreciate you getting involved in reviews [1] and any
other development help you're willing to contribute. Patches have
slowly been landing in the kite repo. [2]
For others not familiar with Kite, there
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
The previous revision of this OSSN specified an incorrect workaround.
This new revision should supersede the old revision.
Thanks,
- -NGK
- --
Some versions of Glance do not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cinder wipe fails in an insecure manner on Grizzly
- ---
### Summary ###
A configuration error can prevent the secure erase of volumes in Cinder
on Grizzly, potentially allowing a user to recover another user’s data.
### Affected Services / Software
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Multiple Cinder drivers set insecure file permissions
- ---
### Summary ###
Several Cinder volume drivers set insecure file permissions for various
files and directories. These permissions render the files accessible for
read and write to any user
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Glance allows non-admin users to create public images
- ---
### Summary ###
The default policy settings in Glance allow any user to upload an image
that is publicly available to all users. This can allow a malicious user
to upload a vulnerable image
On 05/22/2014 07:48 AM, Jarret Raim wrote:
All,
There was some interest at the Summit in semi-combining the mid-cycle meet
ups for Barbican, Keystone and the OSSG as there is some overlap in team
members and interest areas. The current dates being considered are:
Mon, July 7 - Barbican
On 05/08/2014 03:19 AM, Samuel Bercovici wrote:
Hi,
Please note as commented also by other XaaS services that managing SSL
certificates is not a sole LBaaS challenge.
This calls for either an OpenStack wide service or at least a Neutron
wide service to implement such use cases.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Some versions of Glance do not apply property protections as expected
- ---
### Summary ###
Tom Leaman reported an issue to the OpenStack mailing list that affects
Glance property protections. A permissive property setting in the Glance
property
On 05/05/2014 03:29 PM, Jiang, Yunhong wrote:
Hi, all
The trusted messaging
(https://blueprints.launchpad.net/oslo.messaging/+spec/trusted-messaging) has
been removed from icehouse, does anyone know how is current status? I noticed
a summit session may cover it (
On 04/25/2014 12:50 AM, Carlos Garza wrote:
Trevor is referring to our plans on using the SSL session ID of the
ClientHello to provide session persistence.
See RFC 5264 section 7.4.1.2 which sends an SSL session ID in the clear
(Unencrypted) so that a load balancer with out the
On 04/18/2014 06:55 AM, Lisa Clark wrote:
Barbicaneers,
Is anyone following the openstack-security list and/or part of the
OpenStack Security Group (OSSG)? This sounds like another group and list
we should keep our eyes on.
In the below thread on the security list, Nathan Kinder
your involvement in
OSSG. In fact, there has been much interest in OSSG about the Barbican
project. And I believe that many people from the group are contributing
to Barbican.
In the below thread on the security list, Nathan Kinder is
conducting a
security audit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sample Keystone v3 policy exposes privilege escalation vulnerability
- ---
### Summary ###
The policy.v3cloudsample.json sample Keystone policy file combined with
the underlying mutability of the domain ID for user, group, and project
entities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Heartbleed vulnerability can lead to OpenStack compromise
- ---
### Summary ###
A vulnerability in OpenSSL can lead to leaking of confidential data
protected by SSL/TLS in an OpenStack deployment.
### Affected Services / Software ###
On 04/10/2014 09:48 AM, Russell Bryant wrote:
On 04/10/2014 11:39 AM, Steven Hardy wrote:
On Mon, Apr 07, 2014 at 09:06:23AM -0700, Nathan Kinder wrote:
Hi,
We don't currently collect high-level security related information about
the projects for OpenStack releases. Things like the crypto
Hi,
We don't currently collect high-level security related information about
the projects for OpenStack releases. Things like the crypto algorithms
that are used or how we handle sensitive data aren't documented anywhere
that I could see. I did some thinking on how we can improve this. I
wrote
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Potential token revocation abuse via group membership
- ---
### Summary ###
Deletion of groups in Keystone causes token revocation for group
members. If group capabilities are delegated to users, they can abuse
those capabilities to maliciously
On 03/26/2014 09:51 AM, Clint Byrum wrote:
Excerpts from Chris Jones's message of 2014-03-26 06:58:59 -0700:
Hi
We don't have a strong attachment to stunnel though, I quickly dropped it in
front of our CI/CD undercloud and Rob wrote the element so we could repeat
the deployment.
In the
(for example, it
is not possible to set user_filter to members of certain known groups
for OpenLDAP without creating a memberOf overlay on the LDAP server).
[Nathan Kinder] What attributes would you filter on? It seems to me
that LDAP would need to have knowledge of the roles to be able to filter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
DoS style attack on noVNC server can lead to service interruption or
disruption
- ---
### Summary ###
There is currently no limit to the number of noVNC or SPICE console
sessions that can be established by a single user. The console host has
limited
capabilities:
http://libvirt.org/migration.html
Thanks,
- -NGK
-Hao
-邮件原件- 发件人: Nathan Kinder [mailto:nkin...@redhat.com] 发送时间:
2014年3月7日 3:36 收件人: OpenStack Development Mailing List (not for
usage questions) 主题: [openstack-dev] [OSSN] Live migration
instructions recommend
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Glance allows sharing of images between projects without consumer
project approval
- ---
### Summary ###
Glance allows images to be shared between projects. In certain API
versions, images can be shared without the consumer project's
approval. This
On 12/11/2013 08:08 PM, Bryan D. Payne wrote:
We can involve people in security reviews without having them on the
core review team. They are separate concerns.
Yes, but those people can't ultimately approve the patch. So you'd need
to have a security reviewer do their review,
On 11/27/2013 08:58 AM, Paul Montgomery wrote:
I created some relatively high level security best practices that I
thought would apply to Solum. I don't think it is ever too early to get
mindshare around security so that developers keep that in mind throughout
the project. When a design
On 11/23/2013 08:28 AM, Tim Bell wrote:
Horizon uses Project in the user interface, yet the openstack.rc file
contains tenant_id and tenant_name. It makes it very difficult to write user
guides given that such a fundamental concept has two names.
+1. I struggled with this
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Authenticated users are able to update passwords without providing
their current password
- ---
### Summary ###
An authenticated user is able to change their password without
providing their current password. This allows compromised
authentication
83 matches
Mail list logo