← Back to team overview

openstack team mailing list archive

Re: Potential security issue with CHAP

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/29/2012 03:40 PM, Russell Bryant wrote:
> On 11/29/2012 03:50 AM, Avishay Traeger wrote:
>> 
>> Hi all, Currently, CHAP secrets are managed by Cinder, and passed
>> to Nova for use when attaching volumes.  This means that unless
>> the communication is encrypted, or a separate trusted network is
>> used, CHAP secrets can be sniffed on the wire. Opinions?
> 
> In the future, if you suspect something is a security issue 
> (vulnerability), the public mailing list isn't the best place to
> report it.  :-)  Please use a private bug on launchpad, or send
> someone on the vulnerability management team an encrypted email.
> 
> http://www.openstack.org/projects/openstack-security/
> 
> In this case, I don't think there is a problem here.  A lot of
> sensitive information is passed around between services, via both
> messaging and the REST APIs.  It is certainly important to protect
> these communications via the means you mentioned (trusted network,
> encryption).

Also if appropriate please notify secalert@xxxxxxxxxx, traditionally
SRT would handle notifying/communications with many upstreams (this
applies more to RHEL where we have hundreds of upstreams we are not
directly involved in) which is obviously different for OpenStack since
we have Russell, but it is very helpful if SRT is notified as early as
possible since we'll need to handle the security issues any ways at
some point..

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQvjAMAAoJEBYNRVNeJnmTmPwQAJx3WKrc3OHSkyjBukqt+x/V
6G3by9ZQZeUYnXPzKCW5uLC+nypea2zx/AKn6/QBwjcE+jTWzvI4EOkv6wpzxyC1
cdcRE1gLoaStPZhEfBAugjXwBMH8zwDE6htuEDZrazPNgSfOGYr7UAsr1KOh0dy+
ijY7fd1nJgakKl/LMrqbTRx0soh6ZFvQdZ51DEywDohs2Fn6CEeDiSbaj/4uUDGl
5s/4HM9CyfRF8fc8lFloU10QIdx+0E2kY+wMrFjfGUSX9UWtqKzj3HjE8mCIJzBq
RDOlKF0NSb3etasbYV881MPA0Ur9AYB5F03qoQvfRg0NWa3Mzuqty/CztYCg3Xii
UpGLhmPxX67dItotYr1uTnP7lTLieAjVbu6HOAPUcXVw1zvF3p0dDlhEn1Rsg0I3
FKMMyMUAeuObPeFhnnvRfnsRfQh45drDFGwv1v38lnFbXQyZTu9Yk9ysDekNJLvS
VyC8ZTGBizlyKbpJf2ABUF8kI2fS9jfUBkWtRxErnzElUmGPsMZ4yRPGYdRuMY49
0IrE4TcdWszAgZxaVRSj2CE2Dw8x1V1/ZUSUW5fyRKPOmZhtAuY2NRXYxk3NNeO/
5c6TQwnGec9GTmUMIFfWoUBCBORbib0d2Q3evQZ9MmO1VJEnSirXhIUt9LXq+9/C
60oOnghV/Ry4U+jzf6NX
=1lL1
-----END PGP SIGNATURE-----


References