chef-cookbooks icon indicating copy to clipboard operation
chef-cookbooks copied to clipboard

Published 20 hours ago verified publisher icon rcbops

[ceilometer] Ceilometer API - Unencrypted Submission of Credentials

Open claco opened this issue 10 years ago • 2 comments

This is from the internal security review recommendations.

Severity: High

**Description / Exploit:** The RPC Ceilometer API endpoint transmits sensitive or security-critical data (API keys) in cleartext in a communication channel that can be sniffed by unauthorized actors.

Impact: Anyone can read the information by gaining access to the channel being used for communication.

Systems Vulnerable: http://198.101.133.159:8777

Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS).

Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

This will likely require attribute default changes, http -> https upgrade testing, https client cert/bundle testing (see other open issues around https and client certs), and changes to novarc files, monitoring/monit checks.

Affects:

cookbooks/ceilometer/attributes/default.rb
33:default["ceilometer"]["services"]["api"]["port"] =  8777
41:default["ceilometer"]["services"]["internal-api"]["port"] =  8777
46:default["ceilometer"]["services"]["admin-api"]["port"] =  8777
51:default["ceilometer"]["services"]["central"]["port"] =  8777

cookbooks/ceilometer/README.md
95:* `ceilometer["services"]["api"]["port"]` = 8777

claco avatar Mar 17 '14 18:03 claco

Hello,

Please let me know if I should open a new bug report for this. This seems like the place where the work on this is being done.

I received the following report from a user using v4.2.1.

"When enabling 'https' for ceilometer on HA controllers, the ceilometer apache vhost is set to bind to the VIP address instead of the 'host' address. HA Proxy fails to reach the service. If you manually change the vhost apache IP, the service works."

Environment JSON change: "ceilometer": { "service_pass": "XXXXXX", "services": { "api": { "scheme": "https" } } },

Affected file: /etc/apache2/sites-enabled/openstack-ceilometer-api (VirtualHost becomes the environment's API VIP IP instead of the IP of the host)

kstev avatar Mar 21 '14 23:03 kstev

@kstev No need to open a new bug - we will need to thoroughly test this feature with our QE folks before release and this is a god reminder of some of the deficiencies.

breu avatar Mar 21 '14 23:03 breu