python-neutronclient

neutronclient debug logging includes keystone auth token

Bug #1320098 reported by Xu Han Peng on 2014-05-16

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	python-neutronclient	Fix Released	Medium	Feng Ju

Bug Description

neutronclient is logging the auth token in the nova logs. Since the logs are world-readable, this means anyone user on this system can see the auth token, which they can then use to get OpenStack administrator access.

Tags:

Xu Han Peng (xuhanp) on 2014-05-16

information type:	Private Security → Public
Changed in neutron:
assignee:	nobody → Xu Han Peng (xuhanp)

Revision history for this message

Wei Wang (damon-devops) wrote on 2014-05-17:

This is similar one bug in keystone: bug #1004114

Dolph Mathews commited at this bug's patch: "why would a production environment have debug enabled?"

I think this bug maybe need reconsider.

Mohammad Banikazemi (mb-s) on 2014-05-20

Changed in neutron:
status:	New → In Progress

Revision history for this message

Matthew Edmonds (edmondsw) wrote on 2014-05-21:

production environments wouldn't normally have debug enabled, but it may be enabled for debug purposes, e.g. when a problem has not been reproducible in a non-production environment. Also note that we should be conscious of security in non-production as well as production environments.

Eugene Nikanorov (enikanorov) on 2014-05-27

affects:

neutron → python-neutronclient

Eugene Nikanorov (enikanorov) on 2014-05-27

Changed in python-neutronclient:
importance:	Undecided → Medium

Mohammad Banikazemi (mb-s) on 2014-05-27

tags:

added: security

OpenStack Infra (hudson-openstack) on 2014-05-31

Changed in python-neutronclient:
assignee:	Xu Han Peng (xuhanp) → Feng Ju (jufeng)

Revision history for this message

Robert Clark (robert-clark) wrote on 2014-06-02:

Limited security impact because it's client side but certainly an issue that needs to be fixed.

-Rob

OpenStack Infra (hudson-openstack) on 2014-06-06

Changed in python-neutronclient:
assignee:	Feng Ju (jufeng) → Xu Han Peng (xuhanp)

OpenStack Infra (hudson-openstack) on 2014-06-13

Changed in python-neutronclient:
assignee:	Xu Han Peng (xuhanp) → Feng Ju (jufeng)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-16: Change abandoned on python-neutronclient (master)

Change abandoned by Xu Han Peng (<email address hidden>) on branch: master
Review: https://review.openstack.org/93866
Reason: Abandon this patch because X-Auth-Token has been replaced by "TOKEN_REDACTED"

by this keystone client patch:
https://github.com/openstack/python-keystoneclient/commit/605577192d7158ecf40bd9a94b7cf3acc2ce1c95

Revision history for this message

Xu Han Peng (xuhanp) wrote on 2014-09-17:

Mark as fixed since X-Auth-Token has been replaced by "TOKEN_REDACTED" by this keystone client patch:
https://github.com/openstack/python-keystoneclient/commit/605577192d7158ecf40bd9a94b7cf3acc2ce1c95

Changed in python-neutronclient:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.