Obfuscation of config options marked as secret needs to be more opaque
Bug #1341774 reported by
Henry Nash
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
oslo-incubator |
Fix Released
|
Low
|
Zhongyue Luo |
Bug Description
The current code in oslo to log configuration setting honors the "secret" attribute that is available on config options. If this is set, then the value of the options is logged as a string of asterisks. However, the code actually logs a string of asterisks the same length as the actual value of the option. Knowing the length of something that is secret could aid any cracking attempt.
A better solution would be to just log a fixed length string of asterisks (e.g. "**********").
Changed in ossa: | |
status: | New → Incomplete |
information type: | Private Security → Public Security |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
information type: | Public Security → Public |
tags: | added: log low-hanging-fruit |
Changed in oslo: | |
importance: | Undecided → Low |
status: | New → Triaged |
Changed in oslo: | |
status: | In Progress → Fix Committed |
Changed in oslo-incubator: | |
milestone: | none → juno-3 |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Hi, the OSSA task is set to incomplete pending additional security details.
Does configuration settings dump requires a special permissions and what is the likeliness of someone not authorized to observe the output ?