[Openstack-security] [OSSN] Draft: Nova Baremetal Exposes Previous Tenant Data
Kurt Seifried
kseifried at redhat.com
Tue Jul 2 16:48:55 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/02/2013 08:48 AM, Clark, Robert Graham wrote:
> Nova Baremetal Exposes Previous Tenant Data -----
>
> ### Summary ### Data of previous tenants may be exposed to new ones
> when using Nova Baremetal
>
> ### Affected Services / Software ### Keystone, Databases
>
> ### Discussion ### Nova Baremetal is intended for testing and
> development only, it is not intended to be production ready.
> Experience has shown that despite that warning the OpenStack
> community is keen to embrace new technologies and deploy at-risk.
> This OSSN serves to signpost some of the risks.
>
> Without secure boot, and without full openflow hardware networking
> during the boot process, it is impossible to trust multiple tenants
> on baremetal at all - because the vectors for attack are so low
> level that instances may be running in a virtual environment and
> unaware of it, with the virtual environment capturing secrets,
> forcing entropy pools to be predictable and other such hostile
> behaviour.
>
> ### Recommended Actions ### Do not use Nova Baremetal where secure
> separation of tenants on hardware is a requirement without a full
> verifiable boot chain and network hardware.
>
> ### Contacts / References ### This OSSN :
> https://bugs.launchpad.net/ossn/+bug/1174153 OpenStack Security ML
> :
> openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>
>
>
OpenStack Security Group : https://launchpad.net/~openstack-ossg
>
> _______________________________________________ Openstack-security
> mailing list Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
This sounds liek it needs a CVE #. Any reason it wasn't given one?
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQIcBAEBAgAGBQJR0wR3AAoJEBYNRVNeJnmT8cMP/jkX5Gl4JSLUiowRl5b3P2PD
Uadq4TLpw0Yc3FsOEBFId4KivmZhq9uY5jtzIQ+fzzy7DzAp+X5pWmeVhP7dRofO
11eGN/XnhfJKH8d5AmS0UlsPI0Fum88YLAU3tIczE0zeKrOopudwwZKL9URGVDao
XjP7P5pCw2uKxEME+zvHEydMNv9Dg/sv9D8W62q9CGLweY031WcnuSU6x81B5nRC
N3I+k8MCQjE1QVk9UWOZa3Dnb91wR3a0FcZZZDpHt9/KilZcPo7qg/T9IxM+Akz9
xSX8INm+4rRCfjC4Qzy4H9wHeHxZCG5sLvMpFzLDhhnhy4QwF6ej9wJKImO6VbB3
/OBRnc3yWWgLuZoW1X9dVNbWh5ju/NU/ZpfrfvumrAOyctIpD2bttJH48L47QIZi
6xI0T+TIUpFs8fnNXPD8UfhlOn9zck5USb+iTANzhYx4WSNiSzz+UudbSlfPWO0R
FNexQn3m74HmJUWuFtr4dC38FJAb476I+vsAoLtItJno6EwfvEUu5d7mRS2FqGq8
XrCAQccp+Qp5vBB2Oknk2ckJ0nys+901+ODybm6Va1yLvFS8EFTE5g1woReD7Yp4
1fPCUdETfnlUnSqS/ie924EvV2omAEn+Bdm8ZkE2SHdxXwsIRKiOeC85PN0rSbmF
+W9Slud4IuCCraHdh96g
=hWQ8
-----END PGP SIGNATURE-----
More information about the Openstack-security
mailing list