[OSSA 2013-031] Ceilometer log contains DB password in plain text (CVE-2013-6384)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ceilometer |
Fix Released
|
High
|
Julien Danjou | ||
Havana |
Fix Released
|
High
|
Julien Danjou | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Thierry Carrez |
Bug Description
Both impl_db2.py and impl_mongodb.py log the password used to access the database by printing out the connection string from ceilometer.conf. The database connection configuration parameter is usually marked secret because it contains this password.
https:/
https:/
Typically, this ends up getting written to /var/log/
For example:
2013-10-22 15:33:41.244 10537 INFO ceilometer.
where "ceilometer" is the user and "fe85b844214814
I recommend removing this line or at least masking out the password part.
LOG.info(
CVE References
tags: | added: havana-backport-potential |
Changed in ceilometer: | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Julien Danjou (jdanjou) |
milestone: | none → icehouse-1 |
Changed in ceilometer: | |
status: | Triaged → In Progress |
Changed in ossa: | |
importance: | Undecided → Medium |
status: | Incomplete → Confirmed |
Changed in ossa: | |
status: | In Progress → Fix Committed |
Changed in ceilometer: | |
status: | Fix Committed → Fix Released |
tags: | removed: havana-backport-potential |
Changed in ceilometer: | |
milestone: | icehouse-1 → 2014.1 |
Given that this are non-DEBUG logs, I'd tend to publish an OSSA about this.