[openstack-dev] [OSSN 0063] Nova and Cinder key manager for Barbican misuses cached credentials

Nova and Cinder key manager for Barbican misuses cached credentials --- ### Summary ### During the Icehouse release the Cinder and Nova projects added a feature that supports storage volume encryption using keys stored in Barbican. The Barbican key manager, that is part of Nova and Cinder, had a b

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

looks to me like OSSN-0056 was written during a mid-cycle and could be > the right one. > > > > I’m struggling to work out the story behind OSSN-0050 – I’m adding > Nathan Kinder who might be able to shed more light on this. It looks like that one was added to the wiki b

[openstack-dev] [OSSN 0062] Potential reuse of revoked Identity tokens

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Potential reuse of revoked Identity tokens - --- ### Summary ### An authorization token issued by the Identity service can be revoked, which is designed to immediately make that token invalid for future use. When the PKI or PKIZ token providers are

[openstack-dev] [OSSN 0061] Glance image signature uses an insecure hash algorithm (MD5)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Glance image signature uses an insecure hash algorithm (MD5) - --- ### Summary ### During the Liberty release the Glance project added a feature that supports verifying images by their signature. There is a flaw in the implementation that degrades v

[openstack-dev] [OSSN 0059] Trusted VM can be powered on untrusted hosts

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Trusted VM can be powered on untrusted hosts - --- ### Summary ### A trusted VM that has been launched earlier on a trusted host can still be powered on from the same host even after the trusted host is compromised. ### Affected Services / Software

[openstack-dev] [OSSN 0057] DoS attack on Glance service can lead to interruption or disruption

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 DoS attack on Glance service can lead to interruption or disruption - --- ### Summary ### The typical Glance workflow allows authenticated users to create an image and upload the image content in a separate step. This can be abused by malicious user

[openstack-dev] [OSSN 0053] Keystone token disclosure may result in malicious trust creation

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Keystone token disclosure may result in malicious trust creation - --- ### Summary ### Keystone tokens are the foundation of authentication and authorization in OpenStack. When a service node is compromised, it is possible that an attacker would hav

[openstack-dev] [OSSN 0056] Cached keystone tokens may be accepted after revocation

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cached keystone tokens may be accepted after revocation - --- ### Summary ### Keystone auth_token middleware token and revocation list caching is used to reduce the load on the keystone service. The default token cache time is set to 300 seconds and

[openstack-dev] [OSSN 0058] Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes - --- ### Summary ### When using the LVMISCSIDriver with Cinder, the credentials for CHAP authentication are not formatted correctly in the tgtadm configuration file. This lead

[openstack-dev] [OSSN 0054] Potential Denial of Service in Horizon login

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Potential Denial of Service in Horizon login - --- ### Summary ### Horizon uses the Python based Django web framework. Older versions of this framework allow an unauthorized user to fill up the session store database causing a Horizon denial of serv

[openstack-dev] [OSSN 0055] Service accounts may have cloud admin privileges

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Service accounts may have cloud admin privileges - --- ### Summary ### OpenStack services (for example Nova and Glance) typically use a service account in Keystone to perform actions. In some cases this service account has full admin privileges, ma

[openstack-dev] [OSSN 0052] Python-swiftclient exposes raw token values in debug logs

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Python-swiftclient exposes raw token values in debug logs - --- ### Summary ### The password and authentication token configuration options for the python-swiftclient are not marked as secret. The values of these options will be logged to the standa

[openstack-dev] [OSSN 0049] Nova ironic driver logs sensitive information while operating in debug mode

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nova ironic driver logs sensitive information while operating in debug mode - --- ### Summary ### The password and authentication token configuration options for the ironic driver in nova are not marked as secret. The values of these options will be l

Re: [openstack-dev] [Security] Nominating Michael McCune for Security CoreSec

On 06/15/2015 09:16 AM, McPeak, Travis wrote: > I¹d like to propose Michael McCune for CoreSec membership. > > I¹ve worked with Michael (elmiko) on numerous security tasks and > bugs, and he has a great grasp on security concepts and is very active > in the OpenStack security community. I think

Re: [openstack-dev] [Security] Nominating Travis McPeak for Security CoreSec

On 06/16/2015 02:28 AM, Clark, Robert Graham wrote: > I’d like to nominate Travis for a CoreSec position as part of the > Security project. - CoreSec team members support the VMT with extended > consultation on externally reported vulnerabilities. > > > > Travis has been an active member of t

Re: [openstack-dev] [security] Nominating Mike McCune as Security-Doc Core

On 05/19/2015 05:20 PM, Dillon, Nathaniel wrote: > To the Security and Docs groups as well as other interested parties, > > I would like to nominate Mike McCune to the Security Guide core. He has been > contributing to the Security Guide for about six months now, and he has been > a consistent

[openstack-dev] [OSSN 0046] Setting services to debug mode can also set Pecan to debug

Setting services to debug mode can also set Pecan to debug --- ### Summary ### When debug mode is set for a service using Pecan (via --debug or CONF.debug=True) Pecan is also set to debug. This can result in accidental information disclosures. ### Affected Services / Software ### Blazar, Ceilomet

[openstack-dev] [OSSN 0048] Glance method filtering does not work under certain conditions

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glance method filtering does not work under certain conditions - --- ### Summary ### Glance is using the Python assert statement for validating the HTTP method type in its caching middleware for some image endpoints. The Python documentation states th

[openstack-dev] [OSSN 0047] Keystone does not validate that identity providers match federation mappings

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Keystone does not validate that identity providers match federation mappings - --- ### Summary ### Keystone's OS-FEDERATION extension does not enforce a link between an identity provider and a federation mapping. This can lead to assertions or claims

[openstack-dev] [OSSN 0045] Vulnerable clients allow a TLS protocol downgrade (FREAK)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vulnerable clients allow a TLS protocol downgrade (FREAK) - --- ### Summary ### Some client-side libraries, including un-patched versions of OpenSSL, contain a vulnerability which can allow a man-in-the-middle (MITM) to force a TLS version downgrade.

Re: [openstack-dev] nominating Nathaniel Dillon for security-doc core

On 03/05/2015 01:14 PM, Bryan D. Payne wrote: > To security-doc core and other interested parties, > > Nathaniel Dillon has been working consistently on the security guide > since our first mid-cycle meet up last summer. In that time he has come > to understand the inner workings of the book an

[openstack-dev] [OSSN 0044] Older versions of noVNC allow session theft

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Older versions of noVNC allow session theft - --- ### Summary ### Commonly packaged versions of noVNC allow an attacker to hijack user sessions even when TLS is enabled. noVNC fails to set the secure flag when setting cookies containing an authenticat

[openstack-dev] [OSSN 0043] glibc 'GHOST' vulnerability can allow remote code execution

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 glibc 'GHOST' vulnerability can allow remote code execution - --- ### Summary ### A serious vulnerability in the GNU C library (glibc) gethostbyname* functions can allow an attacker to perform remote code execution with the privileges of the applicati

[openstack-dev] [OSSN 0038] Suds client subject to cache poisoning by local attacker

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Suds client subject to cache poisoning by local attacker - --- ### Summary ### Suds is a Python SOAP client for consuming Web Services. Its default cache implementation stores pickled objects to a predictable path in /tmp. This can be used by a local

[openstack-dev] [OSSN 0042] Keystone token scoping provides no security benefit

nded Action ### Users and deployers of OpenStack must not rely on the scope of tokens to limit what actions can be performed using them. Concerned users are encouraged to read (OSSG member) Nathan Kinder's blog post on this issue and some of the potential future solutions. ### Contacts / Referen

Re: [openstack-dev] [Ironic] A mascot for Ironic

On 11/16/2014 10:51 AM, David Shrewsbury wrote: > >> On Nov 16, 2014, at 8:57 AM, Chris K > > wrote: >> >> How cute. >> >> maybe we could call him bear-thoven. >> >> Chris >> > > I like Blaze Bearly, lead singer for Ironic Maiden. :) > > https://en.wikipedia.org/wi

[openstack-dev] [OSSN 0039] Configuring OpenStack deployments to prevent POODLE attacks

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Configuring OpenStack deployments to prevent POODLE attacks - --- ### Summary ### POODLE (CVE-2014-3566) is a new attack on SSLv3 that allows an active network-based attacker to recover the plaintext from a secure connection using a CBC-mode cipher. U

[openstack-dev] [OSSN 0025] Possible Glance image exposure via Swift

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Possible Glance image exposure via Swift - --- ### Summary ### Glance is able to use Swift as a back end for storing virtual machine images. When Glance is configured this way (in multi-tenant mode only), it is possible for unauthenticated users to ac

Re: [openstack-dev] [keystone] Support for external authentication (i.e. REMOTE_USER) in Havana

On 10/18/2014 08:43 AM, lohit.valleru wrote: > Hello, > > Thank you for posting this issue to openstack-dev. I had posted this on the > openstack general user list and was waiting for response. > > May i know, if we have any progress regarding this issue. > > I am trying to use external HTTPD

Re: [openstack-dev] [Keystone] external AuthN Identity Backend

On 10/16/2014 12:30 PM, Dave Walker wrote: > Hi, > > I think I considered the Federated plugin as a mismatch as it dealt > with 'remote' auth rather than 'external' auth. I thought it was for > purely handling SSO / SAML2, and not being subordinate to auth with > the webserver. > > I'll dig in

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

e authorization that I'm delegating to those services. Keystone trusts already have the ability to explicitly define the roles that will be present in the issues trust tokens, but I have no way of knowing what roles are required to perform a particular action without consulting the policy. -NGK >

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

On 10/13/2014 01:17 PM, Morgan Fainberg wrote: > Description of the problem: Without attempting an action on an endpoint with > a current scoped token, it is impossible to know what actions are available > to a user. > > > Horizon makes some attempts to solve this issue by sourcing all of the

[openstack-dev] [OSSN 0028] Nova leaks compute host SMBIOS serial number to guests

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nova leaks compute host SMBIOS serial number to guests - --- ### Summary ### When Nova is using the libvirt virtualization driver, the SMBIOS serial number supplied by libvirt is provided to the guest instances that are running on a compute node. This

Re: [openstack-dev] [OSSN 0029] Neutron FWaaS rules lack port restrictions when using protocol 'any'

/2014 09:58 AM, Nathan Kinder wrote: > Neutron FWaaS rules lack port restrictions when using protocol > 'any' --- > > ### Summary ### A bug in the Neutron FWaaS (Firewall as a Service) > code results in iptables rules being generated that do not reflect > desired por

[openstack-dev] [OSSN 0030] Bash 'shellshock' bug can lead to code injection vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bash 'shellshock' bug can lead to code injection vulnerability - --- ### Summary ### A bug in the GNU Bash shell (4.3 and lower) exposes a code injection vulnerability via crafted environment variables (Shellshock, CVE-2014-6271, CVE-2014-7169). Throu

[openstack-dev] [OSSN 0024] Sensitive data is exposed in log statements by python-keystoneclient

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sensitive data is exposed in log statements by python-keystoneclient - --- ### Summary ### Python-keystoneclient is a client tool for the OpenStack Identity API, which is implemented by the Keystone project. Various OpenStack services including the Op

[openstack-dev] [OSSN 0029] Neutron FWaaS rules lack port restrictions when using protocol 'any'

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Neutron FWaaS rules lack port restrictions when using protocol 'any' - --- ### Summary ### A bug in the Neutron FWaaS (Firewall as a Service) code results in iptables rules being generated that do not reflect desired port restrictions. This behaviour

[openstack-dev] [OSSN 0027] Neutron ARP cache poisoning vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Neutron ARP cache poisoning vulnerability - --- ### Summary ### The Neutron firewall driver 'iptables_firewall' does not prevent ARP cache poisoning, as this driver is currently only capable of MAC address and IP address based anti-spoofing rules. How

Re: [openstack-dev] [all] [clients] [keystone] lack of retrying tokens leads to overall OpenStack fragility

On 09/12/2014 12:46 AM, Angus Lees wrote: > On Thu, 11 Sep 2014 03:21:52 PM Steven Hardy wrote: >> On Wed, Sep 10, 2014 at 08:46:45PM -0400, Jamie Lennox wrote: >>> For service to service communication there are two types. >>> 1) using the user's token like nova->cinder. If this token expires the

[openstack-dev] [OSSN 0020] Disassociating floating IPs does not terminate NAT connections with Neutron L3 agent

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Disassociating floating IPs does not terminate NAT connections with Neutron L3 agent - --- ### Summary ### Every virtual instance is automatically assigned a private IP address. You may optionally assign public IP addresses to instances. OpenStack use

Re: [openstack-dev] [kesytone][multidomain] - Time to leave LDAP backend?

On 09/01/2014 01:43 AM, Marcos Fermin Lobo wrote: > Hi all, > > > > I found two functionalities for keystone that could be against each other. > > > > Multi-domain feature (This functionality is new in Juno.) > > --- > > Link: > http://docs.openstack.org/develope

[openstack-dev] [OSSN 0026] Unrestricted write permission to config files can allow code execution

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Unrestricted write permission to config files can allow code execution - --- ### Summary ### In numerous places throughout OpenStack projects, variables are read directly from configuration files and used to construct statements which are executed wit

[openstack-dev] [OSSN 0023] Keystone logs auth tokens in URLs at the INFO log level

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Keystone logs auth tokens in URLs at the INFO log level - --- ### Summary ### When a client accesses Keystone using the Identity API version 2, the tokens will be logged as part of some request URLs. Specifically all requests to the tokens resource wi

Re: [openstack-dev] [Openstack-stable-maint] stable/havana jobs failing due to keystone bug 1357652

On 08/17/2014 05:40 PM, Nathan Kinder wrote: > > > On 08/17/2014 01:58 PM, Matt Riedemann wrote: >> >> >> On 8/17/2014 3:36 PM, Alan Pevec wrote: >>> 2014-08-17 22:25 GMT+02:00 Matt Riedemann : >>>> The other thing I thought was we could cap the

Re: [openstack-dev] [Openstack-stable-maint] stable/havana jobs failing due to keystone bug 1357652

On 08/17/2014 01:58 PM, Matt Riedemann wrote: > > > On 8/17/2014 3:36 PM, Alan Pevec wrote: >> 2014-08-17 22:25 GMT+02:00 Matt Riedemann : >>> The other thing I thought was we could cap the version of >>> python-keystoneclient in stable/havana, would that be bad? >>> stable/havana is >>> going

Re: [openstack-dev] stable/havana jobs failing due to keystone bug 1357652

On 08/17/2014 09:18 AM, Nathan Kinder wrote: > > > On 08/17/2014 09:08 AM, Matt Riedemann wrote: >> I'm seeing some nova stable/havana patches failing consistently on >> keystone bug 1357652 [1], keystone won't start due to an import error. >> >> I&#

Re: [openstack-dev] stable/havana jobs failing due to keystone bug 1357652

On 08/17/2014 09:08 AM, Matt Riedemann wrote: > I'm seeing some nova stable/havana patches failing consistently on > keystone bug 1357652 [1], keystone won't start due to an import error. > > I'm not seeing any recent changes for keystone in stable/havana so not > sure if this is an infra issue

[openstack-dev] [OSSN 0022] Nova Networking does not enforce security group rules following a soft reboot of an instance

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nova Networking does not enforce security group rules following a soft reboot of an instance - --- ### Summary ### In deployments using Nova Networking, security group rules associated with an instance may not be enforced after a soft reboot. Nova is

[openstack-dev] [OSSN 0021] Owners of compromised accounts should verify Keystone trusts

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Owners of compromised accounts should verify Keystone trusts - --- ### Summary ### The Keystone 'trusts' API allows for delegation of privileges to one user on behalf of another. This API can allow for an attacker of a compromised account to set up ba

Re: [openstack-dev] [Keystone] Feasibility of adding global restrictions at trust creation time

On 07/22/2014 06:55 PM, Steven Hardy wrote: > On Tue, Jul 22, 2014 at 05:20:44PM -0700, Nathan Kinder wrote: >> Hi, >> >> I've had a few discussions recently related to Keystone trusts with >> regards to imposing restrictions on trusts at a deployment level. >

[openstack-dev] [Keystone] Feasibility of adding global restrictions at trust creation time

Hi, I've had a few discussions recently related to Keystone trusts with regards to imposing restrictions on trusts at a deployment level. Currently, the creator of a trust is able to specify the following restrictions on the trust at creation time: - an expiration time for the trust - the num

Re: [openstack-dev] [Keystone][devstack] Keystone is now gating (Juno and beyond) on Apache + mod_wsgi deployed Keystone

On 07/11/2014 08:43 AM, Morgan Fainberg wrote: > The Keystone team is happy to announce that as of yesterday (July 10th 2014), > with the merge of https://review.openstack.org/#/c/100747/ Keystone is now > gating on Apache + mod_wsgi based deployment. This also has moved the default > for devs

Re: [openstack-dev] [Keystone] [Swift] Question re. keystone domains

On 07/01/2014 12:15 PM, Dolph Mathews wrote: > > On Tue, Jul 1, 2014 at 11:20 AM, Coles, Alistair > wrote: > > We have a change [1] under review in Swift to make access control > lists compatible with migration to keystone v3 domains. The change > make

Re: [openstack-dev] [Keystone] HTTP Get and HEAD requests mismatch on resulting HTTP status (proposed REST API Response Status Changes)

On 07/01/2014 07:48 PM, Robert Collins wrote: > Wearing my HTTP fanatic hat - I think this is actually an important > change to do. Skew like this can cause all sorts of odd behaviours in > client libraries. +1. The current behavior of inconsistent response codes between the two recommended met

[openstack-dev] [OSSG][OSSN] Cinder SSH Pool will auto-accept SSH host signatures by default

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cinder SSH Pool will auto-accept SSH host signatures by default - --- ### Summary### In OpenStack releases prior to Juno, the SSH connection pool used by Cinder drivers to control SAN hosts will silently auto-accept SSH host fingerprints. This potenti

Re: [openstack-dev] [Barbican] Barebones CA

On 06/25/2014 02:42 PM, Clark, Robert Graham wrote: > > Ok, I’ll hack together a dev plugin over the next week or so, other work > notwithstanding. Where possible I’ll probably borrow from the dog tag > plugin as I’ve not looked closely at the plugin infrastructure in Barbican > recently. My un

[openstack-dev] [OSSG][OSSN] Nova Network configuration allows guest VMs to connect to host services

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nova Network configuration allows guest VMs to connect to host services - --- ### Summary ### When using Nova Network to manage networking for compute instances, instances are able to reach network services running on the host system. This may be a se

[openstack-dev] [OSSG][OSSN] Session-fixation vulnerability in Horizon when using the default signed cookie sessions

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Session-fixation vulnerability in Horizon when using the default signed cookie sessions - --- ### Summary ### The default setting in Horizon is to use signed cookies to store session state on the client side. This creates the possibility that if an a

Re: [openstack-dev] Message level security plans. [barbican]

be to utilize Baribican to store the long-term keys used to authenticate the communicating party. Thanks, -NGK > > Thoughts? > > Arvind > > -Original Message- > From: Nathan Kinder [mailto:nkin...@redhat.com] > Sent: Thursday, June 12, 2014 3:32 PM > To: op

Re: [openstack-dev] Message level security plans.

Hi Tim, Jamie Lennox (cc'd) has been the main developer working on Kite. I'm sure he would appreciate you getting involved in reviews [1] and any other development help you're willing to contribute. Patches have slowly been landing in the kite repo. [2] For others not familiar with Kite, there

Re: [openstack-dev] [OSSG][OSSN] Some versions of Glance do not apply property protections as expected (***revision***)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, The previous revision of this OSSN specified an incorrect workaround. This new revision should supersede the old revision. Thanks, - -NGK - -- Some versions of Glance do not a

[openstack-dev] [OSSG][OSSN] Cinder wipe fails in an insecure manner on Grizzly

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cinder wipe fails in an insecure manner on Grizzly - --- ### Summary ### A configuration error can prevent the secure erase of volumes in Cinder on Grizzly, potentially allowing a user to recover another user’s data. ### Affected Services / Software

[openstack-dev] [OSSG][OSSN] Glance allows non-admin users to create public images

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glance allows non-admin users to create public images - --- ### Summary ### The default policy settings in Glance allow any user to upload an image that is publicly available to all users. This can allow a malicious user to upload a vulnerable image t

[openstack-dev] [OSSG][OSSN] Multiple Cinder drivers set insecure file permissions

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Multiple Cinder drivers set insecure file permissions - --- ### Summary ### Several Cinder volume drivers set insecure file permissions for various files and directories. These permissions render the files accessible for read and write to any user wit

Re: [openstack-dev] [Openstack-security] [Barbican][OSSG][Keystone] Mid-Cycle Meetup

On 05/22/2014 07:48 AM, Jarret Raim wrote: > All, > > There was some interest at the Summit in semi-combining the mid-cycle meet > ups for Barbican, Keystone and the OSSG as there is some overlap in team > members and interest areas. The current dates being considered are: > > Mon, July 7 - Bar

Re: [openstack-dev] [Openstack-docs] [Doc] [ceilometer] [cinder] [glance] [heat] [horizon] [keystone] [neutron] [nova] [swift] [trove] Atlanta Summit – Discuss docs process and tool improvements

On 05/08/2014 09:42 AM, Anne Gentle wrote: > > > > On Wed, May 7, 2014 at 1:43 PM, Roger Luethi > wrote: > > On Wed, 07 May 2014 09:16:48 -0700, Anne Gentle wrote: > > Why not? The responses to my recent survey about doc contributions > indicate

Re: [openstack-dev] [Neutron] [LBaaS][VPN][Barbican] SSL cert implementation for LBaaS and VPN

On 05/08/2014 03:19 AM, Samuel Bercovici wrote: > Hi, > > > > Please note as commented also by other XaaS services that managing SSL > certificates is not a sole LBaaS challenge. > > This calls for either an OpenStack wide service or at least a Neutron > wide service to implement such use ca

[openstack-dev] [OSSG][OSSN] Some versions of Glance do not apply property protections as expected

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Some versions of Glance do not apply property protections as expected - --- ### Summary ### Tom Leaman reported an issue to the OpenStack mailing list that affects Glance property protections. A permissive property setting in the Glance property prote

Re: [openstack-dev] [nova][olso] How is the trusted message going on?

On 05/05/2014 03:29 PM, Jiang, Yunhong wrote: > Hi, all > The trusted messaging > (https://blueprints.launchpad.net/oslo.messaging/+spec/trusted-messaging) has > been removed from icehouse, does anyone know how is current status? I noticed > a summit session may cover it ( > http://juno

Re: [openstack-dev] [barbican] Cryptography audit by OSSG

s as they are added): Would Barbican help > to solve any of the security concerns/issues that these projects are > experiencing? > > -Lisa > >> >> Message: 5 >> Date: Thu, 17 Apr 2014 16:27:30 -0700 >> From: Nathan Kinder >> To: "Bryan D. Pa

Re: [openstack-dev] [Neutron][LBaaS] Use Case Question

On 04/25/2014 12:50 AM, Carlos Garza wrote: > Trevor is referring to our plans on using the SSL session ID of the > ClientHello to provide session persistence. > See RFC 5264 section 7.4.1.2 which sends an SSL session ID in the clear > (Unencrypted) so that a load balancer with out the decryp

Re: [openstack-dev] [barbican] Cryptography audit by OSSG

SSG leads. We'd certainly welcome your involvement in > OSSG. In fact, there has been much interest in OSSG about the Barbican > project. And I believe that many people from the group are contributing > to Barbican. > > > In the below thread on the security list, N

[openstack-dev] [OSSG][OSSN] Sample Keystone v3 policy exposes privilege escalation vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sample Keystone v3 policy exposes privilege escalation vulnerability - --- ### Summary ### The policy.v3cloudsample.json sample Keystone policy file combined with the underlying mutability of the domain ID for user, group, and project entities exposed

Re: [openstack-dev] Security audit of OpenStack projects

On 04/10/2014 09:48 AM, Russell Bryant wrote: > On 04/10/2014 11:39 AM, Steven Hardy wrote: >> On Mon, Apr 07, 2014 at 09:06:23AM -0700, Nathan Kinder wrote: >>> Hi, >>> >>> We don't currently collect high-level security related information about >>

[openstack-dev] [OSSG][OSSN] OpenSSL Heartbleed vulnerability can lead to OpenStack compromise

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Heartbleed vulnerability can lead to OpenStack compromise - --- ### Summary ### A vulnerability in OpenSSL can lead to leaking of confidential data protected by SSL/TLS in an OpenStack deployment. ### Affected Services / Software ### Grizzly,

[openstack-dev] Security audit of OpenStack projects

Hi, We don't currently collect high-level security related information about the projects for OpenStack releases. Things like the crypto algorithms that are used or how we handle sensitive data aren't documented anywhere that I could see. I did some thinking on how we can improve this. I wrote

[openstack-dev] [OSSG][OSSN] Heat templates with invalid references allows unintended network access

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Heat templates with invalid references allows unintended network access - --- ### Summary ### Orchestration templates can create security groups to define network access rules. When creating these rules, it is possible to have a rule grant incoming n

[openstack-dev] [OSSG][OSSN] Potential token revocation abuse via group membership

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Potential token revocation abuse via group membership - --- ### Summary ### Deletion of groups in Keystone causes token revocation for group members. If group capabilities are delegated to users, they can abuse those capabilities to maliciously revok

Re: [openstack-dev] [TripleO] proxying SSL traffic for API requests

On 03/26/2014 09:51 AM, Clint Byrum wrote: > Excerpts from Chris Jones's message of 2014-03-26 06:58:59 -0700: >> Hi >> >> We don't have a strong attachment to stunnel though, I quickly dropped it in >> front of our CI/CD undercloud and Rob wrote the element so we could repeat >> the deployment.

Re: [openstack-dev] [keystone] All LDAP users returned using keystone v3/users API

ide sufficient filtering (for example, it > is not possible to set user_filter to members of certain known groups > for OpenLDAP without creating a memberOf overlay on the LDAP server). > > [Nathan Kinder] What attributes would you filter on? It seems to me > that LDAP would need to

[openstack-dev] [OSSG][OSSN] DoS style attack on noVNC server can lead to service interruption or disruption

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 DoS style attack on noVNC server can lead to service interruption or disruption - --- ### Summary ### There is currently no limit to the number of noVNC or SPICE console sessions that can be established by a single user. The console host has limited r

Re: [openstack-dev] 答复: [OSSN] Live migration instructions recommend unsecured libvirt remote access

his page provides a nice overview of libvirt's migration capabilities: http://libvirt.org/migration.html Thanks, - -NGK > > -Hao > > -邮件原件- 发件人: Nathan Kinder [mailto:nkin...@redhat.com] 发送时间: > 2014年3月7日 3:36 收件人: OpenStack Development Mailing List (not for > usag

[openstack-dev] [OSSN] Live migration instructions recommend unsecured libvirt remote access

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Live migration instructions recommend unsecured libvirt remote access - --- ### Summary ### When using the KVM hypervisor with libvirt on OpenStack Compute nodes, live migration of instances from one Compute server to another requires that the libvirt

[openstack-dev] [OSSG][OSSN] Keystone can allow user impersonation when using REMOTE_USER for external authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Keystone can allow user impersonation when using REMOTE_USER for external authentication - --- ### Summary ### When external authentication is used with Keystone using the "ExternalDefault" plug-in, external usernames containing "@" characters are tru

Re: [openstack-dev] [Horizon] Nominations to Horizon Core

On 12/11/2013 08:08 PM, Bryan D. Payne wrote: > We can involve people in security reviews without having them on the > core review team. They are separate concerns. > > > Yes, but those people can't ultimately approve the patch. So you'd need > to have a security reviewer do their revie

[openstack-dev] [OSSG][OSSN] Glance allows sharing of images between projects without consumer project approval

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glance allows sharing of images between projects without consumer project approval - --- ### Summary ### Glance allows images to be shared between projects. In certain API versions, images can be shared without the consumer project's approval. This al

Re: [openstack-dev] [Solum] [Security]

On 11/27/2013 08:58 AM, Paul Montgomery wrote: > I created some relatively high level security best practices that I > thought would apply to Solum. I don't think it is ever too early to get > mindshare around security so that developers keep that in mind throughout > the project. When a design d

Re: [openstack-dev] tenant or project

On 11/23/2013 08:28 AM, Tim Bell wrote: > > Horizon uses Project in the user interface, yet the openstack.rc file > contains tenant_id and tenant_name. It makes it very difficult to write user > guides given that such a fundamental concept has two names. +1. I struggled with this dual-nomencla

[openstack-dev] [OSSG][OSSN] Authenticated users are able to update passwords without providing their current password

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Authenticated users are able to update passwords without providing their current password - --- ### Summary ### An authenticated user is able to change their password without providing their current password. This allows compromised authentication tok

Re: [openstack-dev] [heat][keystone] APIs, roles, request scope and admin-ness

On 11/02/2013 09:06 AM, Steven Hardy wrote: Hi all, Looking to start a wider discussion, prompted by: https://review.openstack.org/#/c/54651/ https://blueprints.launchpad.net/heat/+spec/management-api https://etherpad.openstack.org/p/heat-management-api Summary - it has been proposed to add a m