Fuel for OpenStack

TLSv1 related vulnerabilities on MOS Controllers

Bug #1678533 reported by Rene Soto
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Won't Fix
Critical
MOS Maintenance
Fuel for OpenStack 12.0

Bug Description

Detailed bug description:
Customer's Qualsys security software determined that their controllers are susceptible to the following vulnerabilities:
CVE-2013-2566
CVE-2015-2808
CVE-2014-3566
CVE-2016-2107
CVE-2011-3389

They state that it is needed to stop using TLSv1+ssl if possible.

Steps to reproduce:
On a controller node in MOS 7.0 environment, we can see that TLSv1_1 and v1_2 are not enabled(or supported).
root@node-1:~# python
Python 2.7.6 (default, Oct 26 2016, 20:30:19)
[GCC 4.8.4] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> 'PROTOCOL_TLSv1' in dir(ssl)
True
>>> 'PROTOCOL_TLSv1_1' in dir(ssl)
False
>>> 'PROTOCOL_TLSv1_2' in dir(ssl)
False

Expected results:
Have the ability to use v1_1 or v1_2
Actual result:
Unable to, since I believe it is not supported in the version of Python shipped with MOS 7.0 (and up to at least 9.0 as well). I believe Python 2.7.9 supports TLSv1_1 and v1_2

Reproducibility:
N/A
Workaround:
None at the moment.
Impact:

Description of the environment:
 Operation system: Ubuntu 14.04
 Versions of components: Python 2.7.6
 Reference architecture: N/A
 Network model: N/A
 Related projects installed: N/A
Additional information:
N/A

CVE References

Revision history for this message
Stanislaw Bogatkin (sbogatkin) wrote :

You're right. All we stuck in is that OpenStack pinned to Python version. So, let's ask some MOS guys if we can raise Python version for newer OpenStack releases.

Changed in fuel:
status: New → Confirmed
importance: Undecided → High
assignee: nobody → MOS Linux (mos-linux)
milestone: none → 12.0
Revision history for this message
Stanislaw Bogatkin (sbogatkin) wrote :

As related to 3566 - it should be resolved in Fuel after 7.0 as we not support SSL for now, only TLS.
About CVE-2016-2107 - we should manually check if CentOS team has been patched shipped OpenSSL version - currently we use 1.0.1e-fips but it can be patched, of course.
As to 3389 - it also should not be applicable to Fuel after 7.0 as we dropped SSL from it.

But 2808 and 2566 should be fixed only after Python version will be raised.

Changed in fuel:
importance: High → Critical
Revision history for this message
Ivan Suzdal (isuzdal) wrote :

Fuel version 10.0 and above build on Ubuntu Xenial, which python provides tls1_2 support.
Let's ask maintenance team, what should be done for older releases.
Keep in mind we are using python from upstream repos. AFAIK, there is at least two open bugs where upgrade python (trusty release) are requested:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1443704
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1348955

Changed in fuel:
assignee: MOS Linux (mos-linux) → MOS Maintenance (mos-maintenance)
Revision history for this message
Rene Soto (rsoto) wrote :

Is there any update on this, by chance?

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

We use upstream python and since this is a major component for already released products (trusty-based) we cannot just introduce a self-made version without re-evaluating all the released MOSes. So this obviously is not an option since released MOSes are in maintenance mode. I see only one option at the moment - wait for the upstream fix in Ubuntu to rely on their testing and quality assurance.

Moving to Won't Fix.

Changed in fuel:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.