neutron

lbaasv2-agent is logging credentials from barbican

Bug #1524675 reported by fujioka yuuichi
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
neutron
Fix Released
High
Adam Harwell

Bug Description

In liberty, a neutron-lbaasv2-agent is logging credentials retrieved from barbican when debug=True. (e.g. cert, private key, passphrase)

this makes security issue.

example: http://paste.openstack.org/show/481439/ (part of /var/log/neutron/neutron-lbaasv2-agent.log)

See original description
Tags: lbaas
fujioka yuuichi (fujioka-yuuichi-d)
description: updated
Akihiro Motoki (amotoki)
tags: added: lbaas
Akihiro Motoki (amotoki)
description: updated
fujioka yuuichi (fujioka-yuuichi-d)
description: updated
Akihiro Motoki (amotoki)
summary: - lbaasv2 is logging key that is on barbican
+ lbaasv2-agent is logging credentials from barbican
Changed in neutron:
importance: Undecided → High
Henry Gessau (gessau)
information type: Public → Private Security
Revision history for this message
Jeremy Stanley (fungi) wrote :

Note that this bug was public for 6 hours and E-mail copies of all the information it contains were forwarded to anyone who subscribes to Neutron on Launchpad (easily numbering in the hundreds of recipients). As they say, you can't put the beans back in the can.

information type: Private Security → Public Security
Jeremy Stanley (fungi)
Changed in ossa:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Note that information disclosure only in "DEBUG" level logging (class B3 in our taxonomy at https://security.openstack.org/vmt-process.html#incident-report-taxonomy ) is treated as a security hardening opportunity by the OpenStack Vulnerability Management Team, not an exploitable vulnerability, and as such does not generally result in publication of an official advisory nor any request for CVE assignment.

There is also the open question of whether this is a vulnerability in the core of Neutron or within one of the advanced services projects (VMT coverage for the latter has yet to be discussed).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lbaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/258204

Changed in neutron:
assignee: nobody → Adam Harwell (adam-harwell)
status: New → In Progress
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

This is a class B3 type of bug (according to https://security.openstack.org/vmt-process.html#incident-report-taxonomy )

Changed in ossa:
status: Incomplete → Won't Fix
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lbaas (master)

Reviewed: https://review.openstack.org/258204
Committed: https://git.openstack.org/cgit/openstack/neutron-lbaas/commit/?id=a326493ad9b2a10329a312658d27a607fc898614
Submitter: Jenkins
Branch: master

commit a326493ad9b2a10329a312658d27a607fc898614
Author: Adam Harwell <email address hidden>
Date: Tue Dec 15 16:31:59 2015 -0800

    Use keystoneauth to prevent logging sensitive data

    Change-Id: I00e260a28d043a27fb335ee8d8030b3c515bda9e
    Closes-Bug: #1524675

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/neutron-lbaas 8.0.0.0b2

This issue was fixed in the openstack/neutron-lbaas 8.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.