[openstack-dev] [OSSN 0063] Nova and Cinder key manager for Barbican misuses cached credentials
Sean McGinnis
sean.mcginnis at gmx.com
Thu Jun 9 21:35:41 UTC 2016
On Thu, Jun 09, 2016 at 12:52:03PM -0700, Nathan Kinder wrote:
> Nova and Cinder key manager for Barbican misuses cached credentials
> ---
>
> ### Summary ###
> During the Icehouse release the Cinder and Nova projects added a feature
> that supports storage volume encryption using keys stored in Barbican.
> The Barbican key manager, that is part of Nova and Cinder, had a bug
> that could cause an authorized user to lose access to an encryption key
> or allow the wrong user to gain access to an encryption key.
>
> ### Affected Services / Software ###
> Cinder: Icehouse, Juno, Kilo, Liberty
> Nova: Juno, Kilo, Liberty
>
> ...
>
> A specification for a fix has been merged for the Mitaka release of both
> Nova and Cinder. Additionally these patches have been backported to
> stable/kilo and stable/liberty.
>
> ### Contacts / References ###
> This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0063
> Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1523646
> OpenStack Security ML : openstack-security at lists.openstack.org
> OpenStack Security Group : https://launchpad.net/~openstack-ossg
> Nova patch for Mitaka : https://review.openstack.org/254358/
> Nova patch for stable/liberty: https://review.openstack.org/288490
> Cinder patch for Mitaka : https://review.openstack.org/254357/
> Cinder patch for stable/liberty: https://review.openstack.org/266678
> Cinder patch for stable/kilo: https://review.openstack.org/266680
> CVE : N/A
>
Thanks for the detailed write up Nathan!
Sean (smcginnis)
More information about the OpenStack-dev
mailing list