[Openstack-security] [Bug 1372635] Re: MITM vulnerability with EMC VMAX driver
Xing Yang
1372635 at bugs.launchpad.net
Fri Oct 17 03:27:19 UTC 2014
Jay,
The code changes required in the driver is minimum:
We just need to use the two new parameters "ca_cert" and "no_verification" in the new Connection API:
conn = pywbem.WBEMConnection(url,
creds,
default_namespace=namespace,
x509=None,
verify_callback=None,
ca_certs=’/etc/cinder/ca_certs/dsib2202.lss.emc.com.crt’,
no_verification=False)
However, we encountered problems when testing this. The pywbem library
packaged with Ubuntu 12.04 and 14.04 is 0.7.0, which was released in
12/12/2008. It doesn't support "ca_certs" and "no_verification".
Version 0.8.0 is still under development.
There are newer RPM packages that have these parameters and we tried to
convert the RPM package but couldn't get it to work on Ubuntu. Until
Ubuntu has the newer version of the pywbem library, we can't make these
changes that don't work on Ubuntu.
Let me know if you have other suggestions. Thanks.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1372635
Title:
MITM vulnerability with EMC VMAX driver
Status in Cinder:
Triaged
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
The EMC VMAX driver in Juno appears to blindly trust whatever
certificate it gets back from the device without any validation (it
does not specify the ca_certs parameter, etc. on
WBEMConnection.__init__). This would leave it open to a MITM attack.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1372635/+subscriptions
More information about the Openstack-security
mailing list