openstack team mailing list archive

Thread
Date

Re: Potential security issue with CHAP

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Russell Bryant <rbryant@xxxxxxxxxx>
Date: Thu, 29 Nov 2012 17:40:37 -0500
In-reply-to: <OFAE7D44F7.50443CB0-ONC2257AC5.003049B1-C2257AC5.0030A98E@il.ibm.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0

On 11/29/2012 03:50 AM, Avishay Traeger wrote:
> 
> Hi all,
> Currently, CHAP secrets are managed by Cinder, and passed to Nova for use
> when attaching volumes.  This means that unless the communication is
> encrypted, or a separate trusted network is used, CHAP secrets can be
> sniffed on the wire.
> Opinions?

In the future, if you suspect something is a security issue
(vulnerability), the public mailing list isn't the best place to report
it.  :-)  Please use a private bug on launchpad, or send someone on the
vulnerability management team an encrypted email.

http://www.openstack.org/projects/openstack-security/

In this case, I don't think there is a problem here.  A lot of sensitive
information is passed around between services, via both messaging and
the REST APIs.  It is certainly important to protect these
communications via the means you mentioned (trusted network, encryption).

-- 
Russell Bryant

Follow ups

Re: Potential security issue with CHAP
From: Kurt Seifried, 2012-12-04

References

Potential security issue with CHAP
From: Avishay Traeger, 2012-11-29