OpenStack Compute (nova)

VMWare: file writer class uses unsafe SSL connection

Bug #1374000 reported by Sean Dague on 2014-09-25

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Critical	Davanum Srinivas (DIMS)	OpenStack Compute (nova) 2015.1.0 "kilo"
	oslo.vmware	Fix Released	High	Davanum Srinivas (DIMS)	oslo.vmware 0.10.0

Bug Description

VMwareHTTPWriteFile uses httplib.HTTPSConnection objects. In Python 2.x those do not perform CA checks so client connections are vulnerable to MiM attacks.

This is the specific version of https://bugs.launchpad.net/nova/+bug/1188189

Tags:

Sean Dague (sdague) on 2014-09-25

Changed in nova:
status:	New → Triaged
importance:	Undecided → Critical
tags:	added: vmware

Boden R (boden) on 2014-09-25

Changed in nova:
assignee:	nobody → Boden R (boden)
status:	Triaged → In Progress

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2014-09-26:

#1

Same code is also in oslo/vmware/rw_handles.py

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2014-09-26:

#2

Boden,

here's the change i had already in progress for oslo.vmware that uses requests
https://review.openstack.org/#/c/121956/

Revision history for this message

Boden R (boden) wrote on 2014-09-26:

#3

given the work Dims is doing in oslo.vmware as noted above - IMO it makes sense to replace the current usage of nova.virt.vmwareapi.read_write_util's VMwareHttp{Read|Write}File classes wtih oslo.vmware once his work lands.

Davanum Srinivas (DIMS) (dims-v) on 2014-11-19

Changed in nova:
assignee:	Boden R (boden) → Davanum Srinivas (DIMS) (dims-v)
Changed in oslo.vmware:
status:	New → In Progress
assignee:	nobody → Davanum Srinivas (DIMS) (dims-v)
importance:	Undecided → High

Revision history for this message

Tracy Jones (tjones-i) wrote on 2014-12-10:

#4

that patch has landed. Boden do you want to take a crack at it?

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2014-12-11:

#5

Sean, waiting for https://review.openstack.org/#/c/141099/ to merge for bumping up oslo.vmware version to 0.8.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-16: Fix proposed to nova (master)

#6

Fix proposed to branch: master
Review: https://review.openstack.org/142118

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-23: Fix merged to nova (master)

#7

Reviewed: https://review.openstack.org/142118
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=1eb7fd233d29d2eb6c7c3c50b306c1a8602eb01f
Submitter: Jenkins
Branch: master

commit 1eb7fd233d29d2eb6c7c3c50b306c1a8602eb01f
Author: Davanum Srinivas <email address hidden>
Date: Tue Dec 16 09:33:34 2014 -0500

Switch to oslo.vmware API for reading and writing files

    This started off as an exercise to remove httplib.HTTPSConnection
    to prevent MiM attacks but morphed into a full fledged replacement
    of code in read_write_util to use functionality from oslo.vmware.

As a side-effect, we remove the use of the HTTPSConnection and
are switching over to requests library as well.

Closes-Bug: #1374000
Change-Id: I917c34042c501af03725b0504542e00e7d80e511

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-02-05

Changed in nova:
milestone:	none → kilo-2
status:	Fix Committed → Fix Released

Davanum Srinivas (DIMS) (dims-v) on 2015-02-15

Changed in oslo.vmware:
status:	In Progress → Fix Committed

Doug Hellmann (doug-hellmann) on 2015-02-23

Changed in oslo.vmware:
milestone:	none → 0.10.0
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in nova:
milestone:	kilo-2 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.