[Openstack-security] [Bug 1661333] Re: Cinder Brocade driver does not do certificate validation
Jeremy Stanley
fungi at yuggoth.org
Tue Feb 7 16:31:12 UTC 2017
The following related reports were also submitted publicly today as
security hardening opportunities:
bug 1662556
bug 1662558
bug 1662560
bug 1662561
bug 1662563
bug 1662564
Since there have been no objections from the core security reviewers for
Cinder, I'm going ahead and switching this to a public hardening
opportunity report similarly.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Private Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1661333
Title:
Cinder Brocade driver does not do certificate validation
Status in Cinder:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
It is observed that the brocade driver found at
cinder/zonemanager/drivers/brocade/brcd_http_fc_zone_client.py makes a
https connection to the switch (virtual fabric) without certificate
validation. As seen in the code below,the code creates a requests
session and hard-codes certificate verification as False , thus
disabling certificate validation in all cases. There's no option to
enable certificate validation (verify=True) or point to the path of
the root certificate (verify=<path>)
if requestType == zone_constant.GET_METHOD:
response = self.session.get(url,
headers=(header),
verify=False)
elif requestType == zone_constant.POST_METHOD:
response = self.session.post(url,
payload,
headers=(header),
verify=False)
This could lead to insecure communication and man-in-the-middle
attacks.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1661333/+subscriptions
More information about the Openstack-security
mailing list