[Openstack-security] [Bug 1372635] Re: MITM vulnerability with EMC VMAX driver
Thierry Carrez
thierry.carrez+lp at gmail.com
Fri Oct 10 15:02:46 UTC 2014
@Rob: unfortunately we singled that design flaw a long time ago (you
were still on the VMT then) and nothing was done to fix it. In some
cases it's oversight (like in this driver), in some others it's an
architectural choice (like in Swift using unencrypted rsync on the
management network). Unless a group takes on the task to fix it
throughout OpenStack (and folows up with patches and hangs there until
they get approved and merged), I don't see any progress coming.
Do you think the OSSG could form a workgroup around that ? We already
have one proposed to eradicate XSS from Horizon... we really need one
taking on absence of proper encryption on the management network side.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1372635
Title:
MITM vulnerability with EMC VMAX driver
Status in Cinder:
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
The EMC VMAX driver in Juno appears to blindly trust whatever
certificate it gets back from the device without any validation (it
does not specify the ca_certs parameter, etc. on
WBEMConnection.__init__). This would leave it open to a MITM attack.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1372635/+subscriptions
More information about the Openstack-security
mailing list