[Openstack-security] [Bug 1188189] Re: Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection)
Chris Suttles
1188189 at bugs.launchpad.net
Mon Mar 20 04:20:29 UTC 2017
Current status:
find cinder/cinder/volume/drivers -name '*.py' | while read file ; do
echo "$file" ; nl $file | grep http_client ; done
cinder/cinder/volume/drivers/blockbridge.py
24 from six.moves import http_client
128 connection = http_client.HTTPSConnection(cfg['host'], cfg['port'])
cinder/cinder/volume/drivers/dell_emc/vmax/https.py
28 from six.moves import http_client
63 Supplies an additional 'makefile' method which http_client requires
74 class HTTPSConnection(http_client.HTTPSConnection):
86 http_client.HTTPSConnection.__init__(self, host, port,
222 response in XML. Uses Python's build-in http_client. x509 may be a
282 except http_client.BadStatusLine as arg:
cinder/cinder/volume/drivers/falconstor/rest_proxy.py
23 from six.moves import http_client
821 connection = http_client.HTTPConnection(self.hostip, 80, timeout=60)
cinder/cinder/volume/drivers/prophetstor/dplcommon.py
31 from six.moves import http_client
90 connection = http_client.HTTPSConnection(self.ip,
108 except http_client.CannotSendRequest as e:
111 connection = http_client.HTTPSConnection(self.ip,
131 if response.status == http_client.SERVICE_UNAVAILABLE:
140 except http_client.ResponseNotReady as e:
151 and response.status == http_client.NOT_FOUND):
158 'response': http_client.responses[response.status],
160 if response.status == http_client.UNAUTHORIZED:
164 elif retcode == 0 and response.status is http_client.NOT_FOUND:
166 elif retcode == 0 and response.status is http_client.ACCEPTED:
180 response.status in [http_client.OK, http_client.CREATED] and
181 http_client.NO_CONTENT not in expected_status):
211 [http_client.OK, http_client.ACCEPTED])
233 [http_client.OK, http_client.ACCEPTED,
234 http_client.CREATED])
253 [http_client.OK, http_client.ACCEPTED,
254 http_client.CREATED])
264 [http_client.OK, http_client.ACCEPTED,
265 http_client.NOT_FOUND, http_client.NO_CONTENT])
290 [http_client.OK, http_client.ACCEPTED,
291 http_client.CREATED])
307 [http_client.OK, http_client.ACCEPTED,
308 http_client.CREATED])
312 return self._execute(method, url, None, [http_client.OK])
317 [http_client.OK, http_client.ACCEPTED])
341 [http_client.OK, http_client.CREATED,
342 http_client.ACCEPTED])
361 [http_client.OK, http_client.CREATED,
362 http_client.ACCEPTED])
368 [http_client.OK, http_client.ACCEPTED,
369 http_client.NOT_FOUND])
376 [http_client.OK, http_client.NOT_FOUND])
383 [http_client.OK, http_client.NOT_FOUND])
406 [http_client.OK, http_client.ACCEPTED,
407 http_client.CREATED])
427 [http_client.OK, http_client.ACCEPTED,
428 http_client.CREATED])
445 [http_client.OK, http_client.ACCEPTED,
446 http_client.NO_CONTENT, http_client.NOT_FOUND])
462 [http_client.OK, http_client.ACCEPTED,
463 http_client.NO_CONTENT, http_client.NOT_FOUND])
477 [http_client.OK, http_client.ACCEPTED,
478 http_client.NO_CONTENT, http_client.NOT_FOUND])
486 [http_client.OK, http_client.ACCEPTED])
497 [http_client.OK])
508 [http_client.OK])
524 return self._execute(method, url, params, [http_client.OK])
528 return self._execute(method, url, None, [http_client.OK])
534 [http_client.OK, http_client.ACCEPTED,
535 http_client.NOT_FOUND])
543 return self._execute(method, url, None, [http_client.OK])
551 return self._execute(method, url, params, [http_client.OK])
570 [http_client.OK, http_client.ACCEPTED,
571 http_client.CREATED])
578 return self._execute(method, url, None, [http_client.OK])
582 return self._execute(method, url, None, [http_client.OK])
591 [http_client.NO_CONTENT, http_client.NOT_FOUND])
602 [http_client.OK, http_client.ACCEPTED])
613 [http_client.OK, http_client.ACCEPTED])
cinder/cinder/volume/drivers/qnap.py
34 from six.moves import http_client
694 connection = http_client.HTTPSConnection(management_ip,
698 connection = http_client.HTTPSConnection(management_ip,
702 http_client.HTTPConnection(management_ip, management_port))
721 connection = http_client.HTTPSConnection(nas_ip,
725 connection = http_client.HTTPSConnection(
728 connection = http_client.HTTPConnection(nas_ip, self.port)
cinder/cinder/volume/drivers/zfssa/restclient.py
22 from six.moves import http_client
31 OK = http_client.OK
33 CREATED = http_client.CREATED
35 ACCEPTED = http_client.ACCEPTED
37 NO_CONTENT = http_client.NO_CONTENT
39 BAD_REQUEST = http_client.BAD_REQUEST
41 UNAUTHORIZED = http_client.UNAUTHORIZED
43 FORBIDDEN = http_client.FORBIDDEN
45 NOT_FOUND = http_client.NOT_FOUND
47 NOT_ALLOWED = http_client.METHOD_NOT_ALLOWED
49 TIMEOUT = http_client.REQUEST_TIMEOUT
51 CONFLICT = http_client.CONFLICT
53 BUSY = http_client.SERVICE_UNAVAILABLE
72 self.data = http_client.responses[self.status]
96 if status in http_client.responses:
97 self.msg = http_client.responses[status]
140 if result.status == http_client.CREATED:
146 elif result.status == http_client.NOT_FOUND:
243 if err.code == http_client.NOT_FOUND:
247 if err.code == http_client.SERVICE_UNAVAILABLE and \
253 if (err.code == http_client.UNAUTHORIZED or
254 err.code == http_client.INTERNAL_SERVER_ERROR) and \
275 (response.getcode() == http_client.SERVICE_UNAVAILABLE and
cinder/cinder/volume/drivers/zfssa/webdavclient.py
19 from six.moves import http_client
28 http_client.UNAUTHORIZED: _('User not authorized to perform WebDAV '
30 http_client.BAD_GATEWAY: bad_gateway_err,
31 http_client.FORBIDDEN: _('Check access permissions for the ZFS share '
33 http_client.NOT_FOUND: _('The source volume for this WebDAV operation not '
35 http_client.INSUFFICIENT_STORAGE: _('Not enough storage space in the ZFS '
59 if error in http_client.responses:
60 msg = http_client.responses[error]
97 if err.code == http_client.INTERNAL_SERVER_ERROR:
112 except http_client.BadStatusLine as err:
114 code = 'http_client.BadStatusLine'
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1188189
Title:
Some server-side 'SSL' communication fails to check certificates (use
of HTTPSConnection)
Status in Cinder:
Triaged
Status in OpenStack Identity (keystone):
Fix Released
Status in neutron:
Fix Released
Status in oslo.vmware:
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Status in python-keystoneclient:
Fix Released
Status in OpenStack Object Storage (swift):
Invalid
Bug description:
Grant Murphy from Red Hat reported usage of httplib.HTTPSConnection
objects. In Python 2.x those do not perform CA checks so client
connections are vulnerable to MiM attacks.
"""
The following files use httplib.HTTPSConnection :
keystone/middleware/s3_token.py
keystone/middleware/ec2_token.py
keystone/common/bufferedhttp.py
vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py
AFAICT HTTPSConnection does not validate server certificates and
should be avoided. This is fixed in Python 3, however in 2.X no
validation occurs. I suspect this is also applicable to most OpenStack
modules that make HTTPS client calls.
Similar problems were found in ovirt:
https://bugzilla.redhat.com/show_bug.cgi?id=851672 (CVE-2012-3533)
With solutions for ovirt:
http://gerrit.ovirt.org/#/c/7209/
http://gerrit.ovirt.org/#/c/7249/
"""
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1188189/+subscriptions
More information about the Openstack-security
mailing list