From 1582185 at bugs.launchpad.net Wed Feb 1 01:09:12 2017 From: 1582185 at bugs.launchpad.net (Armando Migliaccio) Date: Wed, 01 Feb 2017 01:09:12 -0000 Subject: [Openstack-security] [Bug 1582185] Re: when vm detaches security group with remote_group_id, vm's ip address don't be deleted from ipset member. References: <20160516111757.8981.38537.malonedeb@gac.canonical.com> Message-ID: <20170201010912.12187.50295.malone@soybean.canonical.com> This bug is > 180 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days. If the bug is still valid, then update the bug status. ** Changed in: neutron Assignee: ugvddm (271025598-9) => (unassigned) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1582185 Title: when vm detaches security group with remote_group_id, vm's ip address don't be deleted from ipset member. Status in neutron: Incomplete Bug description: There is default security group, and have been attached two vms, the security group as below: | 204844ae-6939-44d3-a375-1999cd44c942 | default | egress, IPv4 | | | | egress, IPv4, 22/tcp, remote_group_id: 204844ae-6939-44d3-a375-1999cd44c942 | | | | egress, IPv6 | | | | ingress, IPv4, 22/tcp | | | | ingress, IPv4, 3389/tcp | | | | ingress, IPv4, icmp, remote_ip_prefix: 0.0.0.0/0 | | | | ingress, IPv4, remote_group_id: 204844ae-6939-44d3-a375-1999cd44c942 | | | | ingress, IPv6, 22/tcp | | | | ingress, IPv6, 3389/tcp | | | | ingress, IPv6, icmp | | | | ingress, IPv6, remote_group_id: 204844ae-6939-44d3-a375-1999cd44c942 | [root at openstack ~(keystone_admin)]# nova list +--------------------------------------+-------+--------+------------+-------------+-------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+-------+--------+------------+-------------+-------------------+ | 4558881d-2784-40b8-a0fc-a8238196ca47 | vm1 | ACTIVE | - | Running | dddd=172.16.0.9 | | e67ba1de-305d-4915-a2bc-bb24b0389546 | vm2 | ACTIVE | - | Running | test=192.168.12.6 | +--------------------------------------+-------+--------+------------+-------------+-------------------+ Reproduce: step 1: vm1 attaches the default security group step 2: vm2 attaches the default security group, we can see the ipset member: [root at openstack ~]# ipset list NETIPv4204844ae-6939-44d3-a Name: NETIPv4204844ae-6939-44d3-a Type: hash:net Revision: 3 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16880 References: 6 Members: 192.168.12.6 172.16.0.9 step3: vm2 detaches the default, now we can see "192.168.12.6" still over there: [root at openstack ~]# ipset list NETIPv4204844ae-6939-44d3-a Name: NETIPv4204844ae-6939-44d3-a Type: hash:net Revision: 3 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16880 References: 5 Members: 192.168.12.6 172.16.0.9 Expected: "192.168.12.6" should be removed from ipset member. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1582185/+subscriptions From 1582185 at bugs.launchpad.net Wed Feb 1 02:47:20 2017 From: 1582185 at bugs.launchpad.net (Armando Migliaccio) Date: Wed, 01 Feb 2017 02:47:20 -0000 Subject: [Openstack-security] [Bug 1582185] Re: when vm detaches security group with remote_group_id, vm's ip address don't be deleted from ipset member. References: <20160516111757.8981.38537.malonedeb@gac.canonical.com> Message-ID: <20170201024723.17508.12951.launchpad@chaenomeles.canonical.com> ** Changed in: neutron Status: Incomplete => Invalid -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1582185 Title: when vm detaches security group with remote_group_id, vm's ip address don't be deleted from ipset member. Status in neutron: Invalid Bug description: There is default security group, and have been attached two vms, the security group as below: | 204844ae-6939-44d3-a375-1999cd44c942 | default | egress, IPv4 | | | | egress, IPv4, 22/tcp, remote_group_id: 204844ae-6939-44d3-a375-1999cd44c942 | | | | egress, IPv6 | | | | ingress, IPv4, 22/tcp | | | | ingress, IPv4, 3389/tcp | | | | ingress, IPv4, icmp, remote_ip_prefix: 0.0.0.0/0 | | | | ingress, IPv4, remote_group_id: 204844ae-6939-44d3-a375-1999cd44c942 | | | | ingress, IPv6, 22/tcp | | | | ingress, IPv6, 3389/tcp | | | | ingress, IPv6, icmp | | | | ingress, IPv6, remote_group_id: 204844ae-6939-44d3-a375-1999cd44c942 | [root at openstack ~(keystone_admin)]# nova list +--------------------------------------+-------+--------+------------+-------------+-------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+-------+--------+------------+-------------+-------------------+ | 4558881d-2784-40b8-a0fc-a8238196ca47 | vm1 | ACTIVE | - | Running | dddd=172.16.0.9 | | e67ba1de-305d-4915-a2bc-bb24b0389546 | vm2 | ACTIVE | - | Running | test=192.168.12.6 | +--------------------------------------+-------+--------+------------+-------------+-------------------+ Reproduce: step 1: vm1 attaches the default security group step 2: vm2 attaches the default security group, we can see the ipset member: [root at openstack ~]# ipset list NETIPv4204844ae-6939-44d3-a Name: NETIPv4204844ae-6939-44d3-a Type: hash:net Revision: 3 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16880 References: 6 Members: 192.168.12.6 172.16.0.9 step3: vm2 detaches the default, now we can see "192.168.12.6" still over there: [root at openstack ~]# ipset list NETIPv4204844ae-6939-44d3-a Name: NETIPv4204844ae-6939-44d3-a Type: hash:net Revision: 3 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16880 References: 5 Members: 192.168.12.6 172.16.0.9 Expected: "192.168.12.6" should be removed from ipset member. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1582185/+subscriptions From 1634907 at bugs.launchpad.net Thu Feb 2 17:48:28 2017 From: 1634907 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 02 Feb 2017 17:48:28 -0000 Subject: [Openstack-security] [Bug 1634907] Fix included in openstack/ceilometer 8.0.0 References: <20161019135504.30434.25617.malonedeb@chaenomeles.canonical.com> Message-ID: <20170202174828.12050.37809.malone@soybean.canonical.com> This issue was fixed in the openstack/ceilometer 8.0.0 release. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1634907 Title: Auth password is being printed to logs in opendaylight client Status in Ceilometer: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: The opendaylight client is printing debug that can potentially contain the user password. This should be redacted for security. To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1634907/+subscriptions From fungi at yuggoth.org Thu Feb 2 20:49:53 2017 From: fungi at yuggoth.org (Jeremy Stanley) Date: Thu, 02 Feb 2017 20:49:53 -0000 Subject: [Openstack-security] [Bug 1639032] Re: Hardcoded password sent plaintext References: <20161103200833.21606.82991.malonedeb@gac.canonical.com> Message-ID: <20170202204955.27146.97818.launchpad@wampee.canonical.com> ** Description changed: - This issue is being treated as a potential security risk under embargo. - Please do not make any public mention of embargoed (private) security - vulnerabilities before their coordinated publication by the OpenStack - Vulnerability Management Team in the form of an official OpenStack - Security Advisory. This includes discussion of the bug or associated - fixes in public forums such as mailing lists, code review systems and - bug trackers. Please also avoid private disclosure to other individuals - not already approved for access to this information, and provide this - same reminder to those who are made aware of the issue prior to - publication. All discussion should remain confined to this private bug - report, and any proposed fixes should be added to the bug as - attachments. - In cinder/volume/drivers/nexenta/utils.py:103 there is a hardcoded password. This password is then used in cinder/volume/drivers/nexenta/iscsi.py and cinder/volume/drivers/nexenta/nfs.py. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1639032 Title: Hardcoded password sent plaintext Status in Cinder: Invalid Status in OpenStack Security Advisory: Invalid Bug description: In cinder/volume/drivers/nexenta/utils.py:103 there is a hardcoded password. This password is then used in cinder/volume/drivers/nexenta/iscsi.py and cinder/volume/drivers/nexenta/nfs.py. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1639032/+subscriptions From 1662556 at bugs.launchpad.net Tue Feb 7 15:44:32 2017 From: 1662556 at bugs.launchpad.net (Rohan Arora) Date: Tue, 07 Feb 2017 15:44:32 -0000 Subject: [Openstack-security] [Bug 1662556] [NEW] Coprhd disabling certificate verification Message-ID: <20170207154433.5937.18690.malonedeb@wampee.canonical.com> Public bug reported: Coprhd is making reqeust calls with verify=False which disables SSL certificate checks in the following files: cinder/volume/drivers/coprhd/helpers/authentication.py cinder/volume/drivers/coprhd/helpers/commoncoprhdapi.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. ** Affects: cinder Importance: Undecided Status: New ** Tags: coprhd security ** Tags added: coprhd -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1662556 Title: Coprhd disabling certificate verification Status in Cinder: New Bug description: Coprhd is making reqeust calls with verify=False which disables SSL certificate checks in the following files: cinder/volume/drivers/coprhd/helpers/authentication.py cinder/volume/drivers/coprhd/helpers/commoncoprhdapi.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1662556/+subscriptions From 1662564 at bugs.launchpad.net Tue Feb 7 15:52:26 2017 From: 1662564 at bugs.launchpad.net (Rohan Arora) Date: Tue, 07 Feb 2017 15:52:26 -0000 Subject: [Openstack-security] [Bug 1662564] [NEW] Tintri disabling certificate verification Message-ID: <20170207155226.29755.2751.malonedeb@gac.canonical.com> Public bug reported: Tintri is making reqeust calls with verify=False which disables SSL certificate checks in the following file: cinder/volume/drivers/tintri.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. ** Affects: cinder Importance: Undecided Status: New ** Tags: security tintri -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1662564 Title: Tintri disabling certificate verification Status in Cinder: New Bug description: Tintri is making reqeust calls with verify=False which disables SSL certificate checks in the following file: cinder/volume/drivers/tintri.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1662564/+subscriptions From 1662563 at bugs.launchpad.net Tue Feb 7 15:51:08 2017 From: 1662563 at bugs.launchpad.net (Rohan Arora) Date: Tue, 07 Feb 2017 15:51:08 -0000 Subject: [Openstack-security] [Bug 1662563] [NEW] Tegile disabling certificate verification Message-ID: <20170207155109.5558.85832.malonedeb@soybean.canonical.com> Public bug reported: Tegile is making reqeust calls with verify=False which disables SSL certificate checks in the following files: cinder/volume/drivers/tegile.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. ** Affects: cinder Importance: Undecided Status: New ** Tags: security tegile -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1662563 Title: Tegile disabling certificate verification Status in Cinder: New Bug description: Tegile is making reqeust calls with verify=False which disables SSL certificate checks in the following files: cinder/volume/drivers/tegile.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1662563/+subscriptions From 1662561 at bugs.launchpad.net Tue Feb 7 15:49:46 2017 From: 1662561 at bugs.launchpad.net (Rohan Arora) Date: Tue, 07 Feb 2017 15:49:46 -0000 Subject: [Openstack-security] [Bug 1662561] [NEW] Solidfire disabling certificate verification Message-ID: <20170207154946.3933.13220.malonedeb@chaenomeles.canonical.com> Public bug reported: Solidfire is making reqeust calls with verify=False which disables SSL certificate checks in the following files: cinder/volume/drivers/solidfire.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. ** Affects: cinder Importance: Undecided Status: New ** Tags: security solidfire -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1662561 Title: Solidfire disabling certificate verification Status in Cinder: New Bug description: Solidfire is making reqeust calls with verify=False which disables SSL certificate checks in the following files: cinder/volume/drivers/solidfire.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1662561/+subscriptions From 1662560 at bugs.launchpad.net Tue Feb 7 15:48:34 2017 From: 1662560 at bugs.launchpad.net (Rohan Arora) Date: Tue, 07 Feb 2017 15:48:34 -0000 Subject: [Openstack-security] [Bug 1662560] [NEW] Nimble disabling certificate verification Message-ID: <20170207154834.29821.31992.malonedeb@gac.canonical.com> Public bug reported: Nimble is making reqeust calls with verify=False which disables SSL certificate checks in the following file: cinder/volume/drivers/nimble.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. ** Affects: cinder Importance: Undecided Status: New ** Tags: nimble security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1662560 Title: Nimble disabling certificate verification Status in Cinder: New Bug description: Nimble is making reqeust calls with verify=False which disables SSL certificate checks in the following file: cinder/volume/drivers/nimble.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1662560/+subscriptions From 1662558 at bugs.launchpad.net Tue Feb 7 15:46:48 2017 From: 1662558 at bugs.launchpad.net (Rohan Arora) Date: Tue, 07 Feb 2017 15:46:48 -0000 Subject: [Openstack-security] [Bug 1662558] [NEW] Nexenta disabling certificate verification Message-ID: <20170207154648.30362.815.malonedeb@gac.canonical.com> Public bug reported: Nexenta is making reqeust calls with verify=False which disables SSL certificate checks in the following file: cinder/volume/drivers/nexenta/ns5/jsonrpc.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. ** Affects: cinder Importance: Undecided Status: New ** Tags: nexenta security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1662558 Title: Nexenta disabling certificate verification Status in Cinder: New Bug description: Nexenta is making reqeust calls with verify=False which disables SSL certificate checks in the following file: cinder/volume/drivers/nexenta/ns5/jsonrpc.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1662558/+subscriptions From fungi at yuggoth.org Tue Feb 7 16:31:12 2017 From: fungi at yuggoth.org (Jeremy Stanley) Date: Tue, 07 Feb 2017 16:31:12 -0000 Subject: [Openstack-security] [Bug 1661333] Re: Cinder Brocade driver does not do certificate validation References: <20170202171836.11951.49204.malonedeb@soybean.canonical.com> Message-ID: <20170207163112.6259.41202.malone@wampee.canonical.com> The following related reports were also submitted publicly today as security hardening opportunities: bug 1662556 bug 1662558 bug 1662560 bug 1662561 bug 1662563 bug 1662564 Since there have been no objections from the core security reviewers for Cinder, I'm going ahead and switching this to a public hardening opportunity report similarly. ** Changed in: ossa Status: Incomplete => Won't Fix ** Information type changed from Private Security to Public ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1661333 Title: Cinder Brocade driver does not do certificate validation Status in Cinder: New Status in OpenStack Security Advisory: Won't Fix Bug description: It is observed that the brocade driver found at cinder/zonemanager/drivers/brocade/brcd_http_fc_zone_client.py makes a https connection to the switch (virtual fabric) without certificate validation. As seen in the code below,the code creates a requests session and hard-codes certificate verification as False , thus disabling certificate validation in all cases. There's no option to enable certificate validation (verify=True) or point to the path of the root certificate (verify=) if requestType == zone_constant.GET_METHOD: response = self.session.get(url, headers=(header), verify=False) elif requestType == zone_constant.POST_METHOD: response = self.session.post(url, payload, headers=(header), verify=False) This could lead to insecure communication and man-in-the-middle attacks. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1661333/+subscriptions From fungi at yuggoth.org Thu Feb 9 14:34:52 2017 From: fungi at yuggoth.org (Jeremy Stanley) Date: Thu, 09 Feb 2017 14:34:52 -0000 Subject: [Openstack-security] [Bug 1549483] Re: Normal user can replace active image data if show_multiple_locations has been set to true References: <20160224211701.1760.37783.malonedeb@chaenomeles.canonical.com> Message-ID: <20170209143453.30072.57129.launchpad@gac.canonical.com> ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1549483 Title: Normal user can replace active image data if show_multiple_locations has been set to true Status in Glance: Confirmed Status in OpenStack Security Advisory: Opinion Status in OpenStack Security Notes: Fix Released Bug description: Some time ago there was a security bug https://bugs.launchpad.net/glance/+bug/1525915 and a patch was proposed and merged in Glance repo. Unfortunately it partially fixed the problem and the issue with immutability still exists. Bug description: User (non admin) can change image data by updating location for image when "show_multiple_locations" config parameter has been set to true. This breaks the immutability of images in Glance and allows malicious user to replace data after image activation. mfedosin at wdev:~$ glance image-create --name good --disk-format qcow2 --container-format bare --visibility public +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2015-11-10T18:41:53Z | | disk_format | qcow2 | | id | 2a745d21-66b7-43e0-90b5-ebe62232f7d6 | | locations | [] | | min_disk | 0 | | min_ram | 0 | | name | good | | owner | f3b42d4b90d840b8806e46fb4a7edca3 | | protected | False | | size | None | | status | queued | | tags | [] | | updated_at | 2015-11-10T18:41:53Z | | virtual_size | None | | visibility | public | +------------------+--------------------------------------+ mfedosin at wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt' +------------------+----------------------------------------------------------------------------------+ | Property | Value | +------------------+----------------------------------------------------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2015-11-10T18:41:53Z | | disk_format | qcow2 | | file | /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file | | id | 2a745d21-66b7-43e0-90b5-ebe62232f7d6 | | locations | [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": | | | {}}] | | min_disk | 0 | | min_ram | 0 | | name | good | | owner | f3b42d4b90d840b8806e46fb4a7edca3 | | protected | False | | schema | /v2/schemas/image | | size | 43 | | status | active | | tags | [] | | updated_at | 2015-11-10T18:42:21Z | | virtual_size | None | | visibility | public | +------------------+----------------------------------------------------------------------------------+ mfedosin at wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo mfedosin at wdev:~$ cat ooo I'm really good image. mfedosin at wdev:~$ glance location-add 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/bad.txt' +------------------+----------------------------------------------------------------------------------+ | Property | Value | +------------------+----------------------------------------------------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2015-11-10T18:41:53Z | | disk_format | qcow2 | | file | /v2/images/2a745d21-66b7-43e0-90b5-ebe62232f7d6/file | | id | 2a745d21-66b7-43e0-90b5-ebe62232f7d6 | | locations | [{"url": "https://dl.dropboxusercontent.com/u/13626875/good.txt", "metadata": | | | {}}, {"url": "https://dl.dropboxusercontent.com/u/13626875/bad.txt", "metadata": | | | {}}] | | min_disk | 0 | | min_ram | 0 | | name | good | | owner | f3b42d4b90d840b8806e46fb4a7edca3 | | protected | False | | schema | /v2/schemas/image | | size | 43 | | status | active | | tags | [] | | updated_at | 2015-11-10T18:42:29Z | | virtual_size | None | | visibility | public | +------------------+----------------------------------------------------------------------------------+ mfedosin at wdev:~$ glance location-delete 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --url 'https://dl.dropboxusercontent.com/u/13626875/good.txt' mfedosin at wdev:~$ glance image-download 2a745d21-66b7-43e0-90b5-ebe62232f7d6 --file ooo mfedosin at wdev:~$ cat ooo All your base are belong to us! Muahahaha! To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1549483/+subscriptions From 1606495 at bugs.launchpad.net Thu Feb 9 17:07:16 2017 From: 1606495 at bugs.launchpad.net (Robert Clark) Date: Thu, 09 Feb 2017 17:07:16 -0000 Subject: [Openstack-security] [Bug 1606495] Re: copy_from in api v1 allows network port scan References: <20160726093308.5782.75451.malonedeb@chaenomeles.canonical.com> Message-ID: <20170209170717.30179.47948.launchpad@gac.canonical.com> ** Changed in: ossn Assignee: Travis McPeak (travis-mcpeak) => (unassigned) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1606495 Title: copy_from in api v1 allows network port scan Status in Glance: New Status in OpenStack Security Advisory: Opinion Status in OpenStack Security Notes: New Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. copy_from allows to create Images with an url like http://localhost:22 The remote content gets copied unverified in the defined glance store. E.g. after downloading the image with copy_from url http://localhost:22, you see the OpenSSH banner. This is a security issue, as it allows users to do network "scans" for open ports and it copies remote (potentially malicious) content unverified to your configured glance store. glance api v1 is still the default in horizon. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1606495/+subscriptions From fungi at yuggoth.org Tue Feb 14 23:23:02 2017 From: fungi at yuggoth.org (Jeremy Stanley) Date: Tue, 14 Feb 2017 23:23:02 -0000 Subject: [Openstack-security] [Bug 1575909] Re: VPN shared PSK shown in plaintext References: <20160427201532.25434.8113.malonedeb@wampee.canonical.com> Message-ID: <20170214232302.30329.41116.launchpad@gac.canonical.com> ** Information type changed from Public Security to Public ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1575909 Title: VPN shared PSK shown in plaintext Status in OpenStack Dashboard (Horizon): In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: In the neutron VPN details and form, https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/templates/vpn/_ipsecsiteconnection_details.html#L43 and https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/forms.py#L249 don't offer the option of hiding the string. Typically sensitive information like passwords is hidden by default, requiring the user to explicitly choose to make it visible by clicking an icon (like the eye icon). Filing this as a security bug out of an overabundance of caution; while it is related to security it doesn't describe a vulnerability that can be exploited by means other than shoulder surfing. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1575909/+subscriptions From rcresswe at cisco.com Wed Feb 15 10:05:47 2017 From: rcresswe at cisco.com (Rob Cresswell) Date: Wed, 15 Feb 2017 10:05:47 -0000 Subject: [Openstack-security] [Bug 1575909] Re: VPN shared PSK shown in plaintext References: <20160427201532.25434.8113.malonedeb@wampee.canonical.com> Message-ID: <20170215100547.30140.78283.malone@gac.canonical.com> Submitting patches automatically updates Launchpad. Please don't modify the status to In Progress manually. ** Changed in: horizon Status: In Progress => New -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1575909 Title: VPN shared PSK shown in plaintext Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Advisory: Won't Fix Bug description: In the neutron VPN details and form, https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/templates/vpn/_ipsecsiteconnection_details.html#L43 and https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/forms.py#L249 don't offer the option of hiding the string. Typically sensitive information like passwords is hidden by default, requiring the user to explicitly choose to make it visible by clicking an icon (like the eye icon). Filing this as a security bug out of an overabundance of caution; while it is related to security it doesn't describe a vulnerability that can be exploited by means other than shoulder surfing. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1575909/+subscriptions From 1575909 at bugs.launchpad.net Wed Feb 15 20:49:41 2017 From: 1575909 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 15 Feb 2017 20:49:41 -0000 Subject: [Openstack-security] [Bug 1575909] Fix proposed to horizon (master) References: <20160427201532.25434.8113.malonedeb@wampee.canonical.com> Message-ID: <20170215204941.6149.43777.malone@wampee.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/434508 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1575909 Title: VPN shared PSK shown in plaintext Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Advisory: Won't Fix Bug description: In the neutron VPN details and form, https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/templates/vpn/_ipsecsiteconnection_details.html#L43 and https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/forms.py#L249 don't offer the option of hiding the string. Typically sensitive information like passwords is hidden by default, requiring the user to explicitly choose to make it visible by clicking an icon (like the eye icon). Filing this as a security bug out of an overabundance of caution; while it is related to security it doesn't describe a vulnerability that can be exploited by means other than shoulder surfing. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1575909/+subscriptions From 1662556 at bugs.launchpad.net Wed Feb 15 22:07:44 2017 From: 1662556 at bugs.launchpad.net (Xing Yang) Date: Wed, 15 Feb 2017 22:07:44 -0000 Subject: [Openstack-security] [Bug 1662556] Re: Coprhd disabling certificate verification References: <20170207154433.5937.18690.malonedeb@wampee.canonical.com> Message-ID: <20170215220744.29891.56631.malone@gac.canonical.com> *** This bug is a duplicate of bug 1653626 *** https://bugs.launchpad.net/bugs/1653626 Marked this bug as a duplicate of https://bugs.launchpad.net/cinder/+bug/1653626 which already have a patch submitted for it. ** This bug has been marked a duplicate of bug 1653626 IBM User tries to communicate with CoprHD securely, but fails to do so -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1662556 Title: Coprhd disabling certificate verification Status in Cinder: New Bug description: Coprhd is making reqeust calls with verify=False which disables SSL certificate checks in the following files: cinder/volume/drivers/coprhd/helpers/authentication.py cinder/volume/drivers/coprhd/helpers/commoncoprhdapi.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1662556/+subscriptions From lhinds at redhat.com Wed Feb 15 22:49:18 2017 From: lhinds at redhat.com (Luke Hinds) Date: Wed, 15 Feb 2017 22:49:18 -0000 Subject: [Openstack-security] [Bug 1606495] Re: copy_from in api v1 allows network port scan References: <20160726093308.5782.75451.malonedeb@chaenomeles.canonical.com> Message-ID: <20170215224920.6409.75632.launchpad@wampee.canonical.com> ** Changed in: ossn Assignee: (unassigned) => Luke Hinds (lhinds) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1606495 Title: copy_from in api v1 allows network port scan Status in Glance: New Status in OpenStack Security Advisory: Opinion Status in OpenStack Security Notes: New Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. copy_from allows to create Images with an url like http://localhost:22 The remote content gets copied unverified in the defined glance store. E.g. after downloading the image with copy_from url http://localhost:22, you see the OpenSSH banner. This is a security issue, as it allows users to do network "scans" for open ports and it copies remote (potentially malicious) content unverified to your configured glance store. glance api v1 is still the default in horizon. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1606495/+subscriptions From openstack-security at lists.openstack.org Fri Feb 17 09:15:55 2017 From: openstack-security at lists.openstack.org (=?utf-8?B?6YWG5Y2K55C0?=) Date: Fri, 17 Feb 2017 17:15:55 +0800 Subject: [Openstack-security] =?utf-8?q?openstack-security=3A=E5=A6=82?= =?utf-8?b?5L2V5aSE55CG5ZGY5bel6L+d57qq6Zeu6aKYPyBseXlvcWw=?= Message-ID: <20170217171602781837@bxjmf.com> openstack-security: 您好 1.如何预防劳动者的“应聘欺诈”,如何证明劳动者的“欺诈”? 2.招收应届毕业生,应注意哪些细节问题? 3.招用达到法定退休年龄的人员,应注意哪些细节问题? 4.招用待岗、内退、停薪留职的人员,应注意哪些细节问题? 5.入职体检需注意哪些细节问题? 6.入职前后用人单位应告知劳动者哪些情况,如何保留证据? 7.《入职登记表》如何设计,才能起到预防法律风险的作用? 8.劳动者无法提交《离职证明》,该怎么办? 9.企业如何书写《录用通知书》,其法律风险有哪些? 附件中的内容希望能帮助到您的工作。。。 不敢高声语,恐惊天上人。 2017-2-1717:15:59 酆半琴 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 有效调岗调薪、裁员解雇及违纪问题员工处理技巧.docx Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document Size: 27224 bytes Desc: not available URL: From 1649446 at bugs.launchpad.net Tue Feb 21 16:43:16 2017 From: 1649446 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 21 Feb 2017 16:43:16 -0000 Subject: [Openstack-security] [Bug 1649446] Re: Non-Admin Access to Revocation Events References: <20161213023643.29317.10154.malonedeb@wampee.canonical.com> Message-ID: <20170221164316.5359.28266.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/428759 Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=67034c4db8613e8cead5e5839edbecf040b4fb91 Submitter: Jenkins Branch: master commit 67034c4db8613e8cead5e5839edbecf040b4fb91 Author: Frode Nordahl Date: Tue Jan 10 08:50:28 2017 +0100 Update policy.json for Ocata Refresh v2 and v3 portion of policy.json from upstream keystone repository @ commit d4a890a6c8bd6927e229f4b665a982a51c130073 Add functional tests to verify effect of policy Update functional tests to use keystone_configure_api_version from charm-helpers Update functional tests to correctly validate cinder services when openstack release >= ocata Enable functional test for ocata, set appropriate cinder configuration. Change-Id: Idf07ff3a7c9d7e7eb30792719541319ab3426a41 Closes-Bug: 1651989 Closes-Bug: 1649446 ** Changed in: keystone (Juju Charms Collection) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1649446 Title: Non-Admin Access to Revocation Events Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Security Advisory: Won't Fix Status in keystone package in Juju Charms Collection: Fix Committed Bug description: With the default Keystone policy any authed user can list all revocation events for the cluster: https://github.com/openstack/keystone/blob/master/etc/policy.json#L179 This can be done by directly calling the API as such: curl -g -i -X GET http://localhost/identity/v3/OS-REVOKE/events -H "Accept: application/json" -H "X-Auth-Token: " and this will provide you with a normal revocation event list (see attachment). This will allow a user to over time collect a list of user_ids and project_ids. The project_ids aren't particularly useful, but the user_ids can be used to lock people of of their accounts. Or if rate limiting is not setup (a bad idea), or somehow bypassed, would allow someone to brute force access to those ids. Knowing the ids is no worse than knowing the usernames, but as a non- admin you shouldn't have access to such a list anyway. It is also worth noting that OpenStack policy files are rife with these blank policy rules, not just Keystone. Some are safe and intended to be accessible by any authed user, others are checked at the code layer, but there may be other rules that are unsafe to expose to any authed user and as such should actually default to "rule:admin_required" or something other than blank. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1649446/+subscriptions From gerrit2 at review.openstack.org Tue Feb 21 20:38:09 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 21 Feb 2017 20:38:09 +0000 Subject: [Openstack-security] [openstack/barbican-specs] SecurityImpact review request change I6c70e457a1cae2ae4f6d226a4e047e0b05e76e8d Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/431228 Log: commit 5e3cc461a87555845afb94ee9b7766c724e9e789 Author: Douglas Mendizábal Date: Wed Feb 8 17:39:09 2017 -0600 Enhance SimpleCryptoPlugin This spec proposes an enhancement to SimpleCryptoPlugin to remove the encryption key from the barbican.conf file. Change-Id: I6c70e457a1cae2ae4f6d226a4e047e0b05e76e8d SecurityImpact DocImpact APIImpact From morgan.fainberg at gmail.com Mon Feb 27 21:35:44 2017 From: morgan.fainberg at gmail.com (Morgan Fainberg) Date: Mon, 27 Feb 2017 21:35:44 -0000 Subject: [Openstack-security] [Bug 1543048] Re: support alternative password hashing in keystone References: <20160208102502.15773.89678.malonedeb@gac.canonical.com> Message-ID: <20170227213544.21833.61639.malone@gac.canonical.com> Moving this to "high" as sha512_crypt is totally insufficient for password hashes. ** Changed in: keystone Importance: Wishlist => High -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1543048 Title: support alternative password hashing in keystone Status in OpenStack Identity (keystone): In Progress Bug description: Once upon a time there was bug #862730 recommending that alternative password hashing be supported which was closed as invalid since hashing became base-line feature of Keystone's passwords. It would be generally beneficial to support at the very least the passlib implementation of bcrypt as an alternative to strictly sha512 based password hashing. Ideally this should also take into account the relatively new player scrypt. NIST has standardized (afaict) on the SHA-2 based hashing, which should remain the default. Architecture that will support some different password hashing made available at least through passlib will make keystone better in the long term, allowing for operators to determine more than just the SHA-2 based cost. The proposal is as follows: * Allow selected support of different password hashing algorithms from with passlib architecturally * Expand to support bcrypt * Deprecate the "crypt_strength" option in favor of identifying the cost when selecting the password hashing algorithm such as: sha512::10000 or bcrypt::12 * Keep the default the same as today * Identify the password hash based upon the algorithm used, no identifier = sha512 (this might not be required) * Add "py-bcrypt" or similar "preferred" backend(s) to extras in setup.cfg To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1543048/+subscriptions From 1543048 at bugs.launchpad.net Mon Feb 27 21:36:10 2017 From: 1543048 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 27 Feb 2017 21:36:10 -0000 Subject: [Openstack-security] [Bug 1543048] Re: support alternative password hashing in keystone References: <20160208102502.15773.89678.malonedeb@gac.canonical.com> Message-ID: <20170227213611.22478.98889.launchpad@gac.canonical.com> ** Changed in: keystone Status: Triaged => In Progress ** Changed in: keystone Assignee: (unassigned) => Morgan Fainberg (mdrnstm) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1543048 Title: support alternative password hashing in keystone Status in OpenStack Identity (keystone): In Progress Bug description: Once upon a time there was bug #862730 recommending that alternative password hashing be supported which was closed as invalid since hashing became base-line feature of Keystone's passwords. It would be generally beneficial to support at the very least the passlib implementation of bcrypt as an alternative to strictly sha512 based password hashing. Ideally this should also take into account the relatively new player scrypt. NIST has standardized (afaict) on the SHA-2 based hashing, which should remain the default. Architecture that will support some different password hashing made available at least through passlib will make keystone better in the long term, allowing for operators to determine more than just the SHA-2 based cost. The proposal is as follows: * Allow selected support of different password hashing algorithms from with passlib architecturally * Expand to support bcrypt * Deprecate the "crypt_strength" option in favor of identifying the cost when selecting the password hashing algorithm such as: sha512::10000 or bcrypt::12 * Keep the default the same as today * Identify the password hash based upon the algorithm used, no identifier = sha512 (this might not be required) * Add "py-bcrypt" or similar "preferred" backend(s) to extras in setup.cfg To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1543048/+subscriptions From morgan.fainberg at gmail.com Mon Feb 27 22:00:29 2017 From: morgan.fainberg at gmail.com (Morgan Fainberg) Date: Mon, 27 Feb 2017 22:00:29 -0000 Subject: [Openstack-security] [Bug 1543048] Re: support alternative password hashing in keystone References: <20160208102502.15773.89678.malonedeb@gac.canonical.com> Message-ID: <20170227220029.7648.75403.malone@chaenomeles.canonical.com> Totally insufficient in the way it is implemented as described by Jeremy use in a key derivation methcanism is just fine. However, keystone is using sha512_crypt instead of pbkdf2_sha512 or bcrypt or scrypt, etc. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1543048 Title: support alternative password hashing in keystone Status in OpenStack Identity (keystone): In Progress Bug description: Once upon a time there was bug #862730 recommending that alternative password hashing be supported which was closed as invalid since hashing became base-line feature of Keystone's passwords. It would be generally beneficial to support at the very least the passlib implementation of bcrypt as an alternative to strictly sha512 based password hashing. Ideally this should also take into account the relatively new player scrypt. NIST has standardized (afaict) on the SHA-2 based hashing, which should remain the default. Architecture that will support some different password hashing made available at least through passlib will make keystone better in the long term, allowing for operators to determine more than just the SHA-2 based cost. The proposal is as follows: * Allow selected support of different password hashing algorithms from with passlib architecturally * Expand to support bcrypt * Deprecate the "crypt_strength" option in favor of identifying the cost when selecting the password hashing algorithm such as: sha512::10000 or bcrypt::12 * Keep the default the same as today * Identify the password hash based upon the algorithm used, no identifier = sha512 (this might not be required) * Add "py-bcrypt" or similar "preferred" backend(s) to extras in setup.cfg To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1543048/+subscriptions From morgan.fainberg at gmail.com Tue Feb 28 05:23:47 2017 From: morgan.fainberg at gmail.com (Morgan Fainberg) Date: Tue, 28 Feb 2017 05:23:47 -0000 Subject: [Openstack-security] [Bug 1668503] [NEW] sha512_crypt is insufficient, use pdkfd_sha512 for password hashing Message-ID: <20170228052347.7890.80677.malonedeb@chaenomeles.canonical.com> *** This bug is a security vulnerability *** Public security bug reported: Keystone uses sha512_crypt for password hashing. This is completely insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. ** Affects: keystone Importance: Critical Assignee: Morgan Fainberg (mdrnstm) Status: Triaged ** Affects: ossa Importance: Undecided Status: Incomplete ** Tags: security ** Also affects: ossa Importance: Undecided Status: New ** Changed in: ossa Status: New => Incomplete -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1668503 Title: sha512_crypt is insufficient, use pdkfd_sha512 for password hashing Status in OpenStack Identity (keystone): Triaged Status in OpenStack Security Advisory: Incomplete Bug description: Keystone uses sha512_crypt for password hashing. This is completely insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions From morgan.fainberg at gmail.com Tue Feb 28 05:24:37 2017 From: morgan.fainberg at gmail.com (Morgan Fainberg) Date: Tue, 28 Feb 2017 05:24:37 -0000 Subject: [Openstack-security] [Bug 1668503] Re: sha512_crypt is insufficient, use pdkfd_sha512 for password hashing References: <20170228052347.7890.80677.malonedeb@chaenomeles.canonical.com> Message-ID: <20170228052437.6279.76865.malone@wampee.canonical.com> Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1668503 Title: sha512_crypt is insufficient, use pdkfd_sha512 for password hashing Status in OpenStack Identity (keystone): Triaged Status in OpenStack Security Advisory: Incomplete Bug description: Keystone uses sha512_crypt for password hashing. This is completely insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions From 1668503 at bugs.launchpad.net Tue Feb 28 05:46:39 2017 From: 1668503 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 28 Feb 2017 05:46:39 -0000 Subject: [Openstack-security] [Bug 1668503] Re: sha512_crypt is insufficient, use pdkfd_sha512 for password hashing References: <20170228052347.7890.80677.malonedeb@chaenomeles.canonical.com> Message-ID: <20170228054639.6179.17908.malone@wampee.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/438808 ** Changed in: keystone Status: Triaged => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1668503 Title: sha512_crypt is insufficient, use pdkfd_sha512 for password hashing Status in OpenStack Identity (keystone): In Progress Status in OpenStack Identity (keystone) mitaka series: New Status in OpenStack Identity (keystone) newton series: New Status in OpenStack Identity (keystone) ocata series: New Status in OpenStack Identity (keystone) pike series: In Progress Status in OpenStack Security Advisory: Incomplete Bug description: Keystone uses sha512_crypt for password hashing. This is insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions From morgan.fainberg at gmail.com Tue Feb 28 05:46:45 2017 From: morgan.fainberg at gmail.com (Morgan Fainberg) Date: Tue, 28 Feb 2017 05:46:45 -0000 Subject: [Openstack-security] [Bug 1668503] Re: sha512_crypt is insufficient, use pdkfd_sha512 for password hashing References: <20170228052347.7890.80677.malonedeb@chaenomeles.canonical.com> Message-ID: <20170228054647.21088.26411.launchpad@soybean.canonical.com> ** Changed in: keystone Importance: Critical => High ** Also affects: keystone/mitaka Importance: Undecided Status: New ** Also affects: keystone/pike Importance: High Assignee: Morgan Fainberg (mdrnstm) Status: In Progress ** Also affects: keystone/newton Importance: Undecided Status: New ** Also affects: keystone/ocata Importance: Undecided Status: New ** Description changed: - Keystone uses sha512_crypt for password hashing. This is completely - insufficient and provides limited protection (even with 10,000 rounds) - against brute-forcing of the password hashes (especially with FPGAs - and/or GPU processing). + Keystone uses sha512_crypt for password hashing. This is insufficient + and provides limited protection (even with 10,000 rounds) against brute- + forcing of the password hashes (especially with FPGAs and/or GPU + processing). The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1668503 Title: sha512_crypt is insufficient, use pdkfd_sha512 for password hashing Status in OpenStack Identity (keystone): In Progress Status in OpenStack Identity (keystone) mitaka series: New Status in OpenStack Identity (keystone) newton series: New Status in OpenStack Identity (keystone) ocata series: New Status in OpenStack Identity (keystone) pike series: In Progress Status in OpenStack Security Advisory: Incomplete Bug description: Keystone uses sha512_crypt for password hashing. This is insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions From 1543048 at bugs.launchpad.net Tue Feb 28 05:46:41 2017 From: 1543048 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 28 Feb 2017 05:46:41 -0000 Subject: [Openstack-security] [Bug 1543048] Related fix proposed to keystone (master) References: <20160208102502.15773.89678.malonedeb@gac.canonical.com> Message-ID: <20170228054641.7722.41929.malone@chaenomeles.canonical.com> Related fix proposed to branch: master Review: https://review.openstack.org/438808 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1543048 Title: support alternative password hashing in keystone Status in OpenStack Identity (keystone): In Progress Bug description: Once upon a time there was bug #862730 recommending that alternative password hashing be supported which was closed as invalid since hashing became base-line feature of Keystone's passwords. It would be generally beneficial to support at the very least the passlib implementation of bcrypt as an alternative to strictly sha512 based password hashing. Ideally this should also take into account the relatively new player scrypt. NIST has standardized (afaict) on the SHA-2 based hashing, which should remain the default. Architecture that will support some different password hashing made available at least through passlib will make keystone better in the long term, allowing for operators to determine more than just the SHA-2 based cost. The proposal is as follows: * Allow selected support of different password hashing algorithms from with passlib architecturally * Expand to support bcrypt * Deprecate the "crypt_strength" option in favor of identifying the cost when selecting the password hashing algorithm such as: sha512::10000 or bcrypt::12 * Keep the default the same as today * Identify the password hash based upon the algorithm used, no identifier = sha512 (this might not be required) * Add "py-bcrypt" or similar "preferred" backend(s) to extras in setup.cfg To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1543048/+subscriptions From 1575909 at bugs.launchpad.net Tue Feb 28 12:42:56 2017 From: 1575909 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 28 Feb 2017 12:42:56 -0000 Subject: [Openstack-security] [Bug 1575909] Fix merged to horizon (master) References: <20160427201532.25434.8113.malonedeb@wampee.canonical.com> Message-ID: <20170228124256.21152.13291.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/434508 Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=5137dc4fdd19de3494293731abffdfb7e5b26449 Submitter: Jenkins Branch: master commit 5137dc4fdd19de3494293731abffdfb7e5b26449 Author: Julie Gravel Date: Wed Feb 15 12:08:12 2017 -0800 Make VPN IPSec Site Connection PSK field hidden The Pre-Shared Key (PSK) field on the VPN IPSec Site Connection tab should not be displayed in plain text due to security concerns. Set the PSK field in the Add Connection and the Edit Connection dialogs to be a password field to provide the user some protection when entering the value. Remove the PSK field from the details page since this is the pattern used with the password field in Identity Users panel. Change-Id: I4dd713f01b02c29d9822efcb519de60fd9d035e6 Close-Bug: #1575909 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1575909 Title: VPN shared PSK shown in plaintext Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Advisory: Won't Fix Bug description: In the neutron VPN details and form, https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/templates/vpn/_ipsecsiteconnection_details.html#L43 and https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/forms.py#L249 don't offer the option of hiding the string. Typically sensitive information like passwords is hidden by default, requiring the user to explicitly choose to make it visible by clicking an icon (like the eye icon). Filing this as a security bug out of an overabundance of caution; while it is related to security it doesn't describe a vulnerability that can be exploited by means other than shoulder surfing. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1575909/+subscriptions From fungi at yuggoth.org Tue Feb 28 14:02:03 2017 From: fungi at yuggoth.org (Jeremy Stanley) Date: Tue, 28 Feb 2017 14:02:03 -0000 Subject: [Openstack-security] [Bug 1668503] Re: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing References: <20170228052347.7890.80677.malonedeb@chaenomeles.canonical.com> Message-ID: <20170228140204.21088.52334.launchpad@soybean.canonical.com> ** Summary changed: - sha512_crypt is insufficient, use pdkfd_sha512 for password hashing + sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing ** Description changed: Keystone uses sha512_crypt for password hashing. This is insufficient and provides limited protection (even with 10,000 rounds) against brute- forcing of the password hashes (especially with FPGAs and/or GPU processing). - The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead + The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1668503 Title: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing Status in OpenStack Identity (keystone): In Progress Status in OpenStack Identity (keystone) mitaka series: New Status in OpenStack Identity (keystone) newton series: New Status in OpenStack Identity (keystone) ocata series: New Status in OpenStack Identity (keystone) pike series: In Progress Status in OpenStack Security Advisory: Incomplete Bug description: Keystone uses sha512_crypt for password hashing. This is insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions From 1543048 at bugs.launchpad.net Tue Feb 28 20:58:12 2017 From: 1543048 at bugs.launchpad.net (Dolph Mathews) Date: Tue, 28 Feb 2017 20:58:12 -0000 Subject: [Openstack-security] [Bug 1543048] Re: support alternative password hashing in keystone References: <20160208102502.15773.89678.malonedeb@gac.canonical.com> Message-ID: <20170228205813.21959.6024.launchpad@gac.canonical.com> ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1543048 Title: support alternative password hashing in keystone Status in OpenStack Identity (keystone): In Progress Bug description: Once upon a time there was bug #862730 recommending that alternative password hashing be supported which was closed as invalid since hashing became base-line feature of Keystone's passwords. It would be generally beneficial to support at the very least the passlib implementation of bcrypt as an alternative to strictly sha512 based password hashing. Ideally this should also take into account the relatively new player scrypt. NIST has standardized (afaict) on the SHA-2 based hashing, which should remain the default. Architecture that will support some different password hashing made available at least through passlib will make keystone better in the long term, allowing for operators to determine more than just the SHA-2 based cost. The proposal is as follows: * Allow selected support of different password hashing algorithms from with passlib architecturally * Expand to support bcrypt * Deprecate the "crypt_strength" option in favor of identifying the cost when selecting the password hashing algorithm such as: sha512::10000 or bcrypt::12 * Keep the default the same as today * Identify the password hash based upon the algorithm used, no identifier = sha512 (this might not be required) * Add "py-bcrypt" or similar "preferred" backend(s) to extras in setup.cfg To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1543048/+subscriptions From morgan.fainberg at gmail.com Tue Feb 28 21:46:00 2017 From: morgan.fainberg at gmail.com (Morgan Fainberg) Date: Tue, 28 Feb 2017 21:46:00 -0000 Subject: [Openstack-security] [Bug 1668503] Re: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing References: <20170228052347.7890.80677.malonedeb@chaenomeles.canonical.com> Message-ID: <20170228214600.22165.93446.malone@gac.canonical.com> As an update based upon the comments and discussion in keystone here is the course of action: * No backports * Pike will be updated to support pbkfd2_sha512, bcrypt, and scrypt (configurable) - default will be bcrypt * For rolling upgrade purposes, keystone will still write sha512_crypt passwords to the old column, new column will be created for the new password hashes. This old crypt hash will be disable-able from being written via configuration option. * IN Q release, keystone will cease to write sha512_crypt and the configuration option will be deprecated for removal/removed (that toggles sha512_crypt writing). This means OSSA can be closed, OSSN task can be opened if OSSG would like to issue an OSSN for this. While sha512_crypt and sha256_crypt are used in many cases, these are in places that are typically more secure than web-facing applications (shadow file) where pbkfd2, bcrypt, and scrypt really shine and start providing significantly more protection against off-line brute force especially since databases are more likely to be breached as they are more often accessible from more locations than the shadow/filesystem is). -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1668503 Title: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing Status in OpenStack Identity (keystone): In Progress Status in OpenStack Identity (keystone) mitaka series: New Status in OpenStack Identity (keystone) newton series: New Status in OpenStack Identity (keystone) ocata series: New Status in OpenStack Identity (keystone) pike series: In Progress Status in OpenStack Security Advisory: Incomplete Bug description: Keystone uses sha512_crypt for password hashing. This is insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions From 1668503 at bugs.launchpad.net Tue Feb 28 21:57:22 2017 From: 1668503 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 28 Feb 2017 21:57:22 -0000 Subject: [Openstack-security] [Bug 1668503] Change abandoned on keystone (master) References: <20170228052347.7890.80677.malonedeb@chaenomeles.canonical.com> Message-ID: <20170228215722.20701.88427.malone@soybean.canonical.com> Change abandoned by Morgan Fainberg (morgan.fainberg at gmail.com) on branch: master Review: https://review.openstack.org/438808 Reason: Abandoning, no backports needed can go with a more comprehensive fix -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1668503 Title: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing Status in OpenStack Identity (keystone): In Progress Status in OpenStack Identity (keystone) mitaka series: New Status in OpenStack Identity (keystone) newton series: New Status in OpenStack Identity (keystone) ocata series: New Status in OpenStack Identity (keystone) pike series: In Progress Status in OpenStack Security Advisory: Incomplete Bug description: Keystone uses sha512_crypt for password hashing. This is insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions From 1543048 at bugs.launchpad.net Tue Feb 28 21:57:25 2017 From: 1543048 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 28 Feb 2017 21:57:25 -0000 Subject: [Openstack-security] [Bug 1543048] Change abandoned on keystone (master) References: <20160208102502.15773.89678.malonedeb@gac.canonical.com> Message-ID: <20170228215725.7080.91160.malone@chaenomeles.canonical.com> Change abandoned by Morgan Fainberg (morgan.fainberg at gmail.com) on branch: master Review: https://review.openstack.org/438808 Reason: Abandoning, no backports needed can go with a more comprehensive fix -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1543048 Title: support alternative password hashing in keystone Status in OpenStack Identity (keystone): In Progress Bug description: Once upon a time there was bug #862730 recommending that alternative password hashing be supported which was closed as invalid since hashing became base-line feature of Keystone's passwords. It would be generally beneficial to support at the very least the passlib implementation of bcrypt as an alternative to strictly sha512 based password hashing. Ideally this should also take into account the relatively new player scrypt. NIST has standardized (afaict) on the SHA-2 based hashing, which should remain the default. Architecture that will support some different password hashing made available at least through passlib will make keystone better in the long term, allowing for operators to determine more than just the SHA-2 based cost. The proposal is as follows: * Allow selected support of different password hashing algorithms from with passlib architecturally * Expand to support bcrypt * Deprecate the "crypt_strength" option in favor of identifying the cost when selecting the password hashing algorithm such as: sha512::10000 or bcrypt::12 * Keep the default the same as today * Identify the password hash based upon the algorithm used, no identifier = sha512 (this might not be required) * Add "py-bcrypt" or similar "preferred" backend(s) to extras in setup.cfg To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1543048/+subscriptions From morgan.fainberg at gmail.com Tue Feb 28 23:03:09 2017 From: morgan.fainberg at gmail.com (Morgan Fainberg) Date: Tue, 28 Feb 2017 23:03:09 -0000 Subject: [Openstack-security] [Bug 1668503] Re: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing References: <20170228052347.7890.80677.malonedeb@chaenomeles.canonical.com> Message-ID: <20170228230312.5616.95049.launchpad@wampee.canonical.com> ** Changed in: keystone/ocata Status: New => Won't Fix ** Changed in: keystone/mitaka Status: New => Won't Fix ** Changed in: keystone/newton Status: New => Won't Fix -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1668503 Title: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing Status in OpenStack Identity (keystone): In Progress Status in OpenStack Identity (keystone) mitaka series: Won't Fix Status in OpenStack Identity (keystone) newton series: Won't Fix Status in OpenStack Identity (keystone) ocata series: Won't Fix Status in OpenStack Identity (keystone) pike series: In Progress Status in OpenStack Security Advisory: Incomplete Bug description: Keystone uses sha512_crypt for password hashing. This is insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions