[Openstack-security] [Bug 1674191] Re: HTTPS connection and authentication are not supported between swift-proxy and swift-account-server/swift-container-server/swift-object-server.
Jeremy Stanley
fungi at yuggoth.org
Mon Mar 20 18:06:43 UTC 2017
Based on John's input above, this is more a class D report (security
hardening opportunity) with no need for embargo nor advisory. Triaging
accordingly.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
- --
-
HTTPS connection and authentication are not supported between swift-
proxy and swift-account-server/swift-container-server/swift-object-
server.
The issue description as following:
All the components of swift-proxy, swift-account-server, swift-container-server, swift-object-server can be deployed in multi-node. All the services of swift-store can be access without authentication, swift-proxy as a client, it communicates to the swift-store though clear http connection. If an attacker in internal-base network, he can get the transfered information easily, he also can attack the swift-store services with rest-api-command.
The base-cvss-score of the issue is 6.3.
** Information type changed from Private Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1674191
Title:
HTTPS connection and authentication are not supported between swift-
proxy and swift-account-server/swift-container-server/swift-object-
server.
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Object Storage (swift):
Confirmed
Bug description:
HTTPS connection and authentication are not supported between swift-
proxy and swift-account-server/swift-container-server/swift-object-
server.
The issue description as following:
All the components of swift-proxy, swift-account-server, swift-container-server, swift-object-server can be deployed in multi-node. All the services of swift-store can be access without authentication, swift-proxy as a client, it communicates to the swift-store though clear http connection. If an attacker in internal-base network, he can get the transfered information easily, he also can attack the swift-store services with rest-api-command.
The base-cvss-score of the issue is 6.3.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1674191/+subscriptions
More information about the Openstack-security
mailing list