OpenStack Identity (keystone)

[OSSA 2015-008] backend_argument containing a password leaked in logs (CVE-2015-3646)

Bug #1443598 reported by Eric Brown on 2015-04-13

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Identity (keystone)	Fix Released	High	Eric Brown	OpenStack Identity (keystone) 8.0.0 "liberty"
Icehouse	Fix Released	High	Tristan Cacqueray	OpenStack Identity (keystone) 2014.1.5
Juno	Fix Released	High	Eric Brown	OpenStack Identity (keystone) 2014.2.4
Kilo	Fix Released	High	Doug Hellmann	OpenStack Identity (keystone) 2015.1.0 "kilo"
OpenStack Security Advisory	Fix Released	Medium	Tristan Cacqueray

Bug Description

The keystone.conf has an option backend_argument to set various options for the caching backend. As documented, some of the potential values can contain a password.

Snippet from http://docs.openstack.org/developer/keystone/developing.html#dogpile-cache-based-mongodb-nosql-backend

[cache]
# Global cache functionality toggle.
enabled = True

# Referring to specific cache backend
backend = keystone.cache.mongo

# Backend specific configuration arguments
backend_argument = db_hosts:localhost:27017
backend_argument = db_name:ks_cache
backend_argument = cache_collection:cache
backend_argument = username:test_user
backend_argument = password:test_password

As a result, passwords can be leaked to the keystone logs since the config options is not marked secret.

Tags:

OpenStack Infra (hudson-openstack) on 2015-04-13

Changed in keystone:
status:	New → In Progress

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-04-13:

https://review.openstack.org/#/c/173034/

Changed in keystone:
importance:	Undecided → High
tags:	added: juno-backport-potential
tags:	added: icehouse-backport-potential kilo-backport-potential

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-04-13:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-04-13:

In case we do issue an advisory, assuming only MongoDB backend is affected, here is the impact description draft:

Title: Keystone cache backend password leak in log
Reporter: Eric Brown (VMware)
Products: Keystone
Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3

Description:
Eric Brown from VMware reported a vulnerability in Keystone. An attacker with read access to Keystone logs may obtain the authentication information used to access the cache backend. Only Keystone setup using a password protected MongoDB as a cache backend are impacted.

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-04-13:

Tristan: Are you missing a "2014.1" at the beginning of the "Affects" field?

More importantly, there are other backends provided my dogpile that support authentication through "arguments" (which keystone exposes as "backend_arguments"):

http://dogpilecache.readthedocs.org/en/latest/api.html#dogpile.cache.backends.memcached.BMemcachedBackend

In addition, custom cache backend implementations could also utilize backend_arguments. All of those would be affected as well.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-04-13:

Dolph: So this bug only originated in Icehouse? You're saying it should be "2014.1 versions through 2014.1.4..." because you don't believe it existed prior to the first 2014.1 release?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-13: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/173034
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f9db1a65bd4d83d12c572ba4d5807845996ef410
Submitter: Jenkins
Branch: master

commit f9db1a65bd4d83d12c572ba4d5807845996ef410
Author: Eric Brown <email address hidden>
Date: Mon Apr 13 11:37:53 2015 -0700

backend_argument should be marked secret

Since the backend_argument can potentially contain a password,
it should be marked secret to avoid leakage into the logs.

Closes-Bug: #1443598

Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-13: Fix proposed to keystone (proposed/kilo)

Fix proposed to branch: proposed/kilo
Review: https://review.openstack.org/173115

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-13: Fix proposed to keystone (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/173116

Lin Hua Cheng (lin-hua-cheng) on 2015-04-14

tags:

added: kilo-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-15: Fix proposed to keystone (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/174075

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-15: Change abandoned on keystone (proposed/kilo)

#10

Change abandoned by Doug Hellmann (<email address hidden>) on branch: proposed/kilo
Review: https://review.openstack.org/173115
Reason: replaced by https://review.openstack.org/174075 in stable/kilo

Thierry Carrez (ttx) on 2015-04-20

Changed in ossa:
importance:	Undecided → Medium
status:	Incomplete → Confirmed
status:	Confirmed → Triaged

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-04-20: Re: backend_argument containing a password leaked in logs

#11

Thanks Dolph for the feedback, here is a revised impact description draft:

Title: Keystone cache backend password leak in log
Reporter: Eric Brown (VMware)
Products: Keystone
Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3

Description:
Eric Brown from VMware reported a vulnerability in Keystone. An attacker with read access to Keystone logs may obtain sensitive data for certain backends, like a password for MongoDB. All Keystone setup are impacted.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-20: Fix proposed to keystone (stable/icehouse)

#12

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/175519

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-20: Fix merged to keystone (stable/kilo)

#13

Reviewed: https://review.openstack.org/174075
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=86df39c01e96ad3b15e33eb6fc1bf726a0a704c5
Submitter: Jenkins
Branch: stable/kilo

commit 86df39c01e96ad3b15e33eb6fc1bf726a0a704c5
Author: Eric Brown <email address hidden>
Date: Mon Apr 13 11:37:53 2015 -0700

backend_argument should be marked secret

Since the backend_argument can potentially contain a password,
it should be marked secret to avoid leakage into the logs.

Closes-Bug: #1443598

Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
(cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-20: Fix merged to keystone (stable/juno)

#14

Reviewed: https://review.openstack.org/173116
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=695153a523faa9310e2e20d0333c33a47334208a
Submitter: Jenkins
Branch: stable/juno

commit 695153a523faa9310e2e20d0333c33a47334208a
Author: Eric Brown <email address hidden>
Date: Mon Apr 13 11:37:53 2015 -0700

backend_argument should be marked secret

Since the backend_argument can potentially contain a password,
it should be marked secret to avoid leakage into the logs.

Closes-Bug: #1443598

Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
(cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

Thierry Carrez (ttx) on 2015-04-21

tags:

removed: kilo-backport-potential kilo-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-30: Fix proposed to keystone (master)

#15

Fix proposed to branch: master
Review: https://review.openstack.org/179288

Revision history for this message

Thierry Carrez (ttx) wrote on 2015-05-04: Re: backend_argument containing a password leaked in logs

#16

Alternate proposal:

Title: Potential Keystone cache backend password leak in log
Reporter: Eric Brown (VMware)
Products: Keystone
Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3

Description:
Eric Brown from VMware reported a vulnerability in Keystone. The backend_argument configuration option content is being logged, and it may contain sensitive information for specific backends (like a password for MongoDB). An attacker with read access to Keystone logs may therefore obtain sensitive data about certain backends, . All Keystone setups are potentially impacted.

NB: Kilo is not affected.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-05-04:

#17

impact description in comment #16 looks good to me, I'm requesting a cve with it now

Tristan Cacqueray (tristan-cacqueray) on 2015-05-04

summary:

- backend_argument containing a password leaked in logs
+ backend_argument containing a password leaked in logs (CVE-2015-3646)

Tristan Cacqueray (tristan-cacqueray) on 2015-05-04

Changed in ossa:
status:	Triaged → In Progress
summary:	- backend_argument containing a password leaked in logs (CVE-2015-3646) + [OSSA 2015-008] backend_argument containing a password leaked in logs + (CVE-2015-3646)
Changed in ossa:
assignee:	nobody → Tristan Cacqueray (tristan-cacqueray)

Tristan Cacqueray (tristan-cacqueray) on 2015-05-05

Changed in ossa:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-27: Fix merged to keystone (stable/icehouse)

#18

Reviewed: https://review.openstack.org/175519
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a1548eb670d74cac7ff9bb8c4b4228059e6b9e4a
Submitter: Jenkins
Branch: stable/icehouse

commit a1548eb670d74cac7ff9bb8c4b4228059e6b9e4a
Author: Eric Brown <email address hidden>
Date: Mon Apr 13 11:37:53 2015 -0700

backend_argument should be marked secret

Since the backend_argument can potentially contain a password,
it should be marked secret to avoid leakage into the logs.

Closes-Bug: #1443598

Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
(cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

Tristan Cacqueray (tristan-cacqueray) on 2015-05-27

Changed in ossa:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix merged to keystone (master)

#19

Download full text (4.7 KiB)

Reviewed: https://review.openstack.org/179288
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9bc6043eb06199b8d4dbf6698e129d984a59cc11
Submitter: Jenkins
Branch: master

commit 65a50eebb8d0a53a2c4c226eb9a564c4d535ac68
Author: Brant Knudson <email address hidden>
Date: Wed Apr 22 11:33:00 2015 -0500

Sync oslo-incubator Ie51669bd278288b768311ddf56ad31a2f28cc7ab

This syncs to oslo-incubator to commit 64b5819 and also includes
51280db.

    Change-Id: I7b43a67a0b67fe0ff5ac3d87708ecc4ab52102f8
    Depends-On: Ie51669bd278288b768311ddf56ad31a2f28cc7ab
    Closes-Bug: #1446583
    (cherry picked from commit 797da5f05444e7cfbf55df52867ade6107834f00)

commit 579a065c0dcce554a5dca86164eb8f1d6fb43c4d
Author: OpenStack Proposal Bot <email address hidden>
Date: Mon Apr 20 17:55:55 2015 +0000

Updated from global requirements

Change-Id: I72af7a36f2c3ba206be06fa35323386801e6ff81

commit 906485152a8ec886cf4a45cbe1037184ce39f1a1
Author: Andreas Jaeger <email address hidden>
Date: Mon Apr 20 11:11:25 2015 +0200

Release Import of Translations from Transifex

    Manual import of Translations from Transifex. This change also removes
    all po files that are less than 66 per cent translated since such
    partially translated files will not help users.

    This change needs to be done manually since the automatic import does
    not handle the proposed branches and we need to sync with latest
    translations.

Change-Id: Iaf4bdae303b06c1af4023fe2daa3a6b03c195ee9

commit 18ca7fabece4837ad56e435bc9d5f0b6278fa4be
Author: Alexander Makarov <email address hidden>
Date: Mon Apr 6 15:49:41 2015 +0300

Make memcache client reusable across threads

    memcache.Client is inherited from threading._local so instances are only
    accessible from current thread or eventlet. Present workaround broke
    inheritance chain so super() call is unusable.

This patch makes artificial client class mimic inheritance from
threading._local while using generic object methods allowing reusability.

    Change-Id: Ic5d5709695877afb995fd816bb0e4ce711b99b60
    Closes-Bug: #1440493
    (cherry picked from commit 33a95575fc3778bf8ef054f7b9d24fcb7c75100b)

commit cedce339a08d475617c7f57c148e192dc3709a34
Author: Thierry Carrez <email address hidden>
Date: Thu Apr 16 22:19:42 2015 +0200

Set default branch to stable/kilo

Open stable/kilo branch by setting defaultbranch for git-review.

Change-Id: If5b35b0fc5a85ba8dda16dc6b365537ed0d839bc

commit 86df39c01e96ad3b15e33eb6fc1bf726a0a704c5
Author: Eric Brown <email address hidden>
Date: Mon Apr 13 11:37:53 2015 -0700

backend_argument should be marked secret

Since the backend_argument can potentially contain a password,
it should be marked secret to avoid leakage into the logs.

Closes-Bug: #1443598

Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
(cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

commit b679e7d6be18d33ebdfe133161a3daf2f305d954
Author: Lance Bragstad <email address hidden>
Date: Tue Apr 7 18:47:34 2015 +0000

Update man p...

Reviewed:  https://review.openstack.org/179288
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9bc6043eb06199b8d4dbf6698e129d984a59cc11
Submitter: Jenkins
Branch:    master

commit 65a50eebb8d0a53a2c4c226eb9a564c4d535ac68
Author: Brant Knudson <bknudson@us.ibm.com>
Date:   Wed Apr 22 11:33:00 2015 -0500

Sync oslo-incubator Ie51669bd278288b768311ddf56ad31a2f28cc7ab
    
    This syncs to oslo-incubator to commit 64b5819 and also includes
    51280db.
    
    Change-Id: I7b43a67a0b67fe0ff5ac3d87708ecc4ab52102f8
    Depends-On: Ie51669bd278288b768311ddf56ad31a2f28cc7ab
    Closes-Bug: #1446583
    (cherry picked from commit 797da5f05444e7cfbf55df52867ade6107834f00)

commit 579a065c0dcce554a5dca86164eb8f1d6fb43c4d
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Mon Apr 20 17:55:55 2015 +0000

Updated from global requirements
    
    Change-Id: I72af7a36f2c3ba206be06fa35323386801e6ff81

commit 906485152a8ec886cf4a45cbe1037184ce39f1a1
Author: Andreas Jaeger <aj@suse.de>
Date:   Mon Apr 20 11:11:25 2015 +0200

Release Import of Translations from Transifex
    
    Manual import of Translations from Transifex. This change also removes
    all po files that are less than 66 per cent translated since such
    partially translated files will not help users.
    
    This change needs to be done manually since the automatic import does
    not handle the proposed branches and we need to sync with latest
    translations.
    
    Change-Id: Iaf4bdae303b06c1af4023fe2daa3a6b03c195ee9

commit 18ca7fabece4837ad56e435bc9d5f0b6278fa4be
Author: Alexander Makarov <amakarov@mirantis.com>
Date:   Mon Apr 6 15:49:41 2015 +0300

Make memcache client reusable across threads
    
    memcache.Client is inherited from threading._local so instances are only
    accessible from current thread or eventlet. Present workaround broke
    inheritance  chain so super() call is unusable.
    
    This patch makes artificial client class mimic inheritance from
    threading._local while using generic object methods allowing reusability.
    
    Change-Id: Ic5d5709695877afb995fd816bb0e4ce711b99b60
    Closes-Bug: #1440493
    (cherry picked from commit 33a95575fc3778bf8ef054f7b9d24fcb7c75100b)

commit cedce339a08d475617c7f57c148e192dc3709a34
Author: Thierry Carrez <thierry@openstack.org>
Date:   Thu Apr 16 22:19:42 2015 +0200

Set default branch to stable/kilo
    
    Open stable/kilo branch by setting defaultbranch for git-review.
    
    Change-Id: If5b35b0fc5a85ba8dda16dc6b365537ed0d839bc

commit 86df39c01e96ad3b15e33eb6fc1bf726a0a704c5
Author: Eric Brown <browne@vmware.com>
Date:   Mon Apr 13 11:37:53 2015 -0700

backend_argument should be marked secret
    
    Since the backend_argument can potentially contain a password,
    it should be marked secret to avoid leakage into the logs.
    
    Closes-Bug: #1443598
    
    Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
    (cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

commit b679e7d6be18d33ebdfe133161a3daf2f305d954
Author: Lance Bragstad <lbragstad@gmail.com>
Date:   Tue Apr 7 18:47:34 2015 +0000

Update man pages for the Kilo release
    
    The current man pages for keystone-manage don't include commands relating to
    Fernet setup, or the domain configuration upload.
    
    Change-Id: Ifd208151470d8d39d3d4851557e45dc12d1a577b
    Closes-Bug: #1441300
    (cherry picked from commit 7d8b6eb2ac4f46dbe63e3883de5b8ad85b7e8251)

commit 21a1daeaad0e54c373ed91c9e6dbd6391c03eeff
Author: guang-yee <guang.yee@hp.com>
Date:   Wed Apr 8 16:07:02 2015 -0700

make sure we properly initialize the backends before using the drivers
    
    Change-Id: I298515dafd7f8eb8a02745d128296a0da596adf6
    closes-bug: #1441386
    (cherry picked from commit da2effe7f33f5822da33b3966e3afd386d6f43cb)

commit f1cd53aa5461e28120c97378ab749571c41a5bc1
Author: lin-hua-cheng <os.lcheng@gmail.com>
Date:   Wed Apr 8 17:03:23 2015 -0700

WebSSO should use remote_id_attribute by protocol
    
    WebSSO always use the remote_id_attribute from the
    [federation] group. Fix the issue, by consuming the
    protocol specific remote_id_attribute if available.
    
    Change-Id: Icdc693965ec53e5ff8f1901af26c9232a20aef7e
    Closes-Bug: #1441827
    (cherry picked from commit 9b11d13856034e3a2cf6ab1f6ca80a6965818d17)

commit a3d8ae8f5fa092fe99a35c0ea714eb5ce81bcc0b
Author: Brant Knudson <bknudson@us.ibm.com>
Date:   Tue Apr 7 19:35:00 2015 -0500

Work with pymongo 3.0
    
    pymongo 3.0 renamed mongos_enum to read_pref_mode_from_name which
    was causing the unit tests to fail.
    
    Change-Id: Iaa7fd7221c2e6c865633ef342e6b83304a1de655
    Closes-Bug: 1441393
    (cherry picked from commit 7c3fe6acaef6fc283c383fb79f06e388df6e6926)

Doug Hellmann (doug-hellmann) on 2015-06-23

Changed in keystone:
milestone:	none → liberty-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in keystone:
milestone:	liberty-1 → 8.0.0

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.