Description: The following files use httplib.HTTPSConnection : keystone/middleware/s3_token.py keystone/middleware/ec2_token.py keystone/common/bufferedhttp.py vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py AFAICT HTTPSConnection does not validate server certificates and should be avoided. This is fixed in Python 3, however in 2.X no validation occurs. I suspect this is also applicable to most OpenStack modules that make HTTPS client calls.
(In reply to Grant Murphy from comment #0) Thank you for your report, Grant. > Description: > > The following files use httplib.HTTPSConnection : > > keystone/middleware/s3_token.py > keystone/middleware/ec2_token.py > keystone/common/bufferedhttp.py > vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py > > > AFAICT HTTPSConnection does not validate server certificates and should be > avoided. This is fixed in Python 3, however in 2.X no validation occurs. I > suspect this is also applicable to most OpenStack modules that make HTTPS > client calls. Have you reported this issue upstream already? Or should we do? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
This bug also appears to exists within several other openstack components upstream: cinder/cinder/volume/drivers/zadara.py: connection = httplib.HTTPSConnection(self.host, self.port) cinder/cinder/volume/drivers/solidfire.py: connection = httplib.HTTPSConnection(host, port) keystone/keystone/middleware/ec2_token.py: conn = httplib.HTTPSConnection(o.netloc) keystone/keystone/middleware/s3_token.py: self.http_client_class = httplib.HTTPSConnection keystone/keystone/common/bufferedhttp.py: If ssl is set True, HTTPSConnection will be used. However, if ssl=False, keystone/keystone/common/bufferedhttp.py: If ssl is set True, HTTPSConnection will be used. However, if ssl=False, keystone/keystone/common/bufferedhttp.py: conn = httplib.HTTPSConnection( nova/nova/virt/vmwareapi/read_write_util.py: conn = httplib.HTTPSConnection(netloc) nova/nova/api/ec2/__init__.py: conn = httplib.HTTPSConnection(o.netloc) nova/nova/scheduler/filters/trusted_filter.py:class HTTPSClientAuthConnection(httplib.HTTPSConnection): nova/nova/scheduler/filters/trusted_filter.py: httplib.HTTPSConnection.__init__(self, host, nova/plugins/xenserver/xenapi/etc/xapi.d/plugins/glance: conn = httplib.HTTPSConnection(glance_host, glance_port) nova/plugins/xenserver/xenapi/etc/xapi.d/plugins/pluginlib_nova.py: httplib.HTTPSConnection(netloc) or quantum/quantum/plugins/bigswitch/plugin.py: conn = httplib.HTTPSConnection( quantum/quantum/plugins/nec/common/ofc_client.py: return httplib.HTTPSConnection quantum/quantum/plugins/nicira/api_client/common.py: if isinstance(conn, httplib.HTTPSConnection): quantum/quantum/plugins/nicira/api_client/client.py: return httplib.HTTPSConnection(host, port, quantum/quantum/plugins/nicira/api_client/client.py: is_ssl = isinstance(http_conn, httplib.HTTPSConnection) swift/swift/common/bufferedhttp.py: HTTPResponse, HTTPSConnection, _UNKNOWN swift/swift/common/bufferedhttp.py: HTTPSConnection will be used. However, if ssl=False, BufferedHTTPConnection swift/swift/common/bufferedhttp.py: HTTPSConnection will be used. However, if ssl=False, BufferedHTTPConnection swift/swift/common/bufferedhttp.py: conn = HTTPSConnection('%s:%s' % (ipaddr, port))
Changing this to an SRT bug as if affects more than just keystone and is now public.
Created openstack-keystone tracking bugs for this issue: Affects: fedora-all [bug 984679] Affects: epel-6 [bug 984681]
Created python-keystoneclient tracking bugs for this issue: Affects: fedora-all [bug 984680] Affects: epel-6 [bug 984682]
https://bugs.launchpad.net/keystone/+bug/1188189
*** Bug 971674 has been marked as a duplicate of this bug. ***
Statement: The Red Hat Security Response Team has rated this issue as having Moderate security impact in RedHat Enterprise OpenStack Platform 3 however fixing this issue would require a change to default behavior. This issue is not currently planned to be addressed in future updates. This issue did not affect the versions of openstack-keystone or python-keystone client as shipped with RedHat Enterprise OpenStack Platform 4. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.