OpenStack Heat

Password is exposed in the log file

Bug #1336225 reported by Kanagaraj Manickam on 2014-07-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	Medium	Kanagaraj Manickam	OpenStack Heat 2014.2 "juno"

Bug Description

heat-keystone-setup-domain is logging the password to the log file. This defect is filed to remove the logging statement as its security concerns

Tags:

Kanagaraj Manickam (kanagaraj-manickam) on 2014-07-01

Changed in heat:
assignee:	nobody → Kanagaraj Manickam (kanagaraj-manickam)

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-07-01:

The OSSA task is set to incomplete pending additional details from security reviewer. Also please note that while this bug is marked private security, you'll want to attach fix on this Launchpad bug report if you prefer to keep this under cover. The process is described here: https://wiki.openstack.org/wiki/VulnerabilityManagement

Does this leak happen in debug mode, or is it all the time ?

Changed in ossa:
status:	New → Incomplete

Kanagaraj Manickam (kanagaraj-manickam) on 2014-07-02

information type:

Private Security → Public Security

OpenStack Infra (hudson-openstack) on 2014-07-02

Changed in heat:
status:	New → In Progress

Revision history for this message

Steven Hardy (shardy) wrote on 2014-07-02:

> Does this leak happen in debug mode, or is it all the time ?

It's only debug level logging

Revision history for this message

Steven Hardy (shardy) wrote on 2014-07-02:

Since this only happens at debug level I don't think this is really a serious security concern (AFAIK many projects log potentially sensitive developer level information at debug level, but the expectation AIUI is that production environments would not log at debug level?).

Also given the nature of this tool, I'm not clear it would even ever end up logged to any log file (it's run once during heat install, and the logger is likely to just write to the terminal not any file).

That said, I'm fine with removing the logging as we don't really need it.

Changed in heat:
importance:	Undecided → Medium
milestone:	none → juno-2

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-07-02:

Removing the advisory task and tagging this as a security hardening/strengthening measure.

information type:	Public Security → Public
tags:	added: security
no longer affects:	ossa

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-02: Fix merged to heat (master)

Reviewed: https://review.openstack.org/103842
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=35cf2f7a3beb6ac5fd198aa6ce1cdb492a099cf2
Submitter: Jenkins
Branch: master

commit 35cf2f7a3beb6ac5fd198aa6ce1cdb492a099cf2
Author: Kanagaraj Manickam <email address hidden>
Date: Tue Jul 1 16:34:21 2014 +0530

Don't expose password in heat-keystone-setup-domain logs

    heat-keystone-setup-domain is logging
    the password to the log file. This patch
    removes the logging as it's security concerns

Change-Id: I0f017a9c114ac60ea9f5e0df012334ead8cb434a
Closes-bug: #1336225

Changed in heat:
status:	In Progress → Fix Committed

Russell Bryant (russellb) on 2014-07-23

Changed in heat:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in heat:
milestone:	juno-2 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.