[Openstack-security] [Bug 1372643] Re: MITM vulnerability with XIV driver
Alon Marx
alonma at il.ibm.com
Tue Oct 21 19:15:15 UTC 2014
Hi Jay,
Yes, we have this fixed. The fix is available in our Juno driver.
The fix requires a certificate file to be put in the file system in well known directories (e.g. /etc/ssl/certs). This means that the user can also set his own certificates if he so wishes (one can set his own certification on the XIV storage).
We still have some work on packaging and documentation ahead of us.
Alon
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1372643
Title:
MITM vulnerability with XIV driver
Status in Cinder:
Triaged
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
The XIV driver in Juno appears to blindly trust whatever certificate
it gets back from the device without any validation. This would leave
it open to a MITM attack.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1372643/+subscriptions
More information about the Openstack-security
mailing list