rcbops / chef-cookbooks

RCB OPS - Chef Cookbooks
Other
118 stars 102 forks source link

[glance] Image Service Registry - Unencrypted Submission of Credentials #891

Open claco opened 10 years ago

claco commented 10 years ago

This is from the internal security review recommendations.

Severity: High

Description / Exploit: The RPC Image Service Registry transmits sensitive or security-critical data (API keys) in cleartext in a communication channel that can be sniffed by unauthorized actors.

Impact: Anyone can read the information by gaining access to the channel being used for communication.

Systems Vulnerable: http://198.101.133.159:9191

Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS).

Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

This will likely require attribute default changes, http -> https upgrade testing, https client cert/bundle testing (see other open issues around https and client certs), and changes to novarc files, monitoring/monit checks.

Affects:

cookbooks/glance/attributes/default.rb
58:default["glance"]["services"]["registry"]["port"] = 9191
odyssey4me commented 10 years ago

I can't say that I'm aware of when credentials are passed in clear text here, but the same comment as https://github.com/rcbops/chef-cookbooks/issues/892 applies here.

claco commented 10 years ago

I assume it's when the api service talks to the register service directly.