Bug 996766
Summary: | CVE-2013-6491: Setting Qpid SSL protocol sets wrong variable [openstack-3] | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Rob Crittenden <rcritten> | |
Component: | openstack-nova | Assignee: | Xavier Queralt <xqueralt> | |
Status: | CLOSED ERRATA | QA Contact: | Omri Hochman <ohochman> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 3.0 | CC: | bperkins, dallan, ddomingo, gmollett, jruzicka, ndipanov, sclewis, slong, xqueralt, yeylon | |
Target Milestone: | z4 | Keywords: | Security, SecurityTracking, Triaged, ZStream | |
Target Release: | 3.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | openstack-nova-2013.1.4-2.el6ost | Doc Type: | Bug Fix | |
Doc Text: |
By default, Qpid uses TCP as a connection transport instead of connection protocol. Previously, the procedure for enabling SSL in Qpid connections, 'qpid_protocol = ssl' in /etc/glance/glance-api.conf, set the connection protocol. However, the python-qpid client expects a connection transport type. The mismatch prevented Qpid from actually establishing an SSL connection.
With this release, the 'qpid_protocol = ssl' setting now enables SSL for the connection transport instead of connection protocol. As such, Qpid can now successfully establish SSL connections.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1021536 1021537 (view as bug list) | Environment: | ||
Last Closed: | 2014-01-30 19:59:39 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1021536, 1021537, 1055616, 1059504 |
Description
Rob Crittenden
2013-08-13 22:11:44 UTC
This is a nova bug, not novaclient. I'm using : python-nova-2013.1.4-4.el6ost.noarch (from puddle: 2014-01-22.1) The fix from the solution: (https://github.com/openstack/nova/blob/master/nova/openstack/common/rpc/impl_qpid.py#L323) Doesn't seems to match the current code under: /usr/lib/python2.6/site-packages/nova/openstack/common/rpc/impl_qpid.py solution: --------- "auto-delete": True, }, }, } if node_opts: addr_opts["node"]["x-declare"].update(node_opts) self.address = "%s ; %s" % (node_name, jsonutils.dumps(addr_opts)) elif conf.qpid_topology_version == 2: self.address = node_name else: raise_invalid_topology_version() self.reconnect(session) def reconnect(self, session): current code: ------------- "auto-delete": True, }, }, } if node_opts: addr_opts["node"]["x-declare"].update(node_opts) self.address = "%s ; %s" % (node_name, jsonutils.dumps(addr_opts)) self.reconnect(session) def reconnect(self, session): """Re-establish the Sender after a reconnection""" self.sender = session.sender(self.address) and please elaborate steps to verify. (In reply to Omri Hochman from comment #9) > I'm using : python-nova-2013.1.4-4.el6ost.noarch (from puddle: 2014-01-22.1) > > The fix from the solution: > (https://github.com/openstack/nova/blob/master/nova/openstack/common/rpc/ > impl_qpid.py#L323) > > Doesn't seems to match the current code under: > /usr/lib/python2.6/site-packages/nova/openstack/common/rpc/impl_qpid.py > > solution: > --------- > "auto-delete": True, > }, > }, > } > if node_opts: > addr_opts["node"]["x-declare"].update(node_opts) > > self.address = "%s ; %s" % (node_name, > jsonutils.dumps(addr_opts)) > elif conf.qpid_topology_version == 2: > self.address = node_name > else: > raise_invalid_topology_version() > > self.reconnect(session) > > def reconnect(self, session): > > > current code: > ------------- > "auto-delete": True, > }, > }, > } > if node_opts: > addr_opts["node"]["x-declare"].update(node_opts) > > self.address = "%s ; %s" % (node_name, jsonutils.dumps(addr_opts)) > > self.reconnect(session) > > def reconnect(self, session): > """Re-establish the Sender after a reconnection""" > self.sender = session.sender(self.address) > > > and please elaborate steps to verify. Note that you're checking it against icehosue but this BZ is for the grizzly branch. You can find the patch in the external trackers section (https://review.openstack.org/47574) and it has nothing to do with the code you quote. To test this one should change qpid to use SSL, set in nova.conf qpid_protocol=ssl and restart all the nova services. Take into account that the other components' configuration must be updated too and that not all the components decided to backport this patch (I think it is missing only in 3.0 cinder) which means that not all of them will be able to use qpid with ssl. I checked with puddle 2014-01-22.1 it's latest grizzly not icehouse: http://download.lab.bos.redhat.com/rel-eng/OpenStack/Grizzly/2014-01-22.1/puddle.repo Well I've tried to set nova.conf with qpid_protocol=ssl and restart nova services then run nova cli commands-> I'm getting ERROR: [Errno 111] Connection refused. I've tried to set some other .conf files to work with ssl but maybe I'm missing something - How can I verify that this patch is actually in side the code in grizzly ? I think that will be the verification in this case. (In reply to Omri Hochman from comment #11) > I checked with puddle 2014-01-22.1 it's latest grizzly not icehouse: > http://download.lab.bos.redhat.com/rel-eng/OpenStack/Grizzly/2014-01-22.1/ > puddle.repo The link to github pointed to master (a.k.a. Icehouse), that's why the code differs from what you can find packaged in Grizzly. > > Well I've tried to set nova.conf with qpid_protocol=ssl and restart nova > services then run nova cli commands-> I'm getting ERROR: [Errno 111] > Connection refused. > For this to work you must configure QPID to use ssl too. I can't point you to any documentation on how to configure that right now but > I've tried to set some other .conf files to work with ssl but maybe I'm > missing something - How can I verify that this patch is actually in side the > code in grizzly ? I think that will be the verification in this case. To verify that the patch has been applied you must check the line 370 of the file nova/openstack/common/rpc/impl_qpid.py, there instead of setting the attribute self.connection.protocol it should be setting self.connection.transport (see the patches in the external trackers section for more details). Verified with python-nova-2013.1.4-4.el6ost.noarch (puddle 2014-01-22.1) The fix is in the code: ----------------------- self.connection.transport = self.conf.qpid_protocol (In line 370 :/usr/lib/python2.6/sitepackages/nova/openstack/common/rpc/impl_qpid.py) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2014-0112.html |