There appears to be nothing to fix here
** Changed in: heat
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1267912
Title:
OS::Heat::RandomString uses OS entropy source directly
Status in Orchestration API (Heat):
Invalid
Bug description:
The RandomString resource documentation[1] suggests that it's useful
for generating passwords and secrets. It doesn't mention the security
guarantees, however.
Heat seem to be using random.SystemRandom[2]. I'd like us to switch to
something like PyCrypto or better yet, have Oslo provide a
cryptographically secure random generator and use that.
On Linux, random.SystemRandom reads from /dev/urandom which if I
understand things correctly, can have its entropy depleted. So a Heat
user could use a template that asks for a huge amount of randomness
and empty the entropy pool of the entire system (not just Heat).
This would probably be difficult to exploit, but I think it'd be safer
use the entropy to seed a CSPRNG instead of using it directly. Which
is exactly what PyCrypto seems to do.
Regardless, the security guarantees and implications of
OS::Heat::RandomString should be documented.
[1]: http://docs.openstack.org/developer/heat/template_guide/openstack.html#OS::Heat::RandomString
[2]: https://github.com/openstack/heat/blob/master/heat/engine/resources/random_string.py#L81
To manage notifications about this bug go to:
https://bugs.launchpad.net/heat/+bug/1267912/+subscriptions