Keystone client logs x-subject-token at the debug log level
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
python-keystoneclient |
Fix Released
|
Medium
|
Ankit Agrawal |
Bug Description
When you invoke any OpenStack API of any of the OpenStack services listed below, then it logs readable x-subject-token as a debug log message in the respective log file.
x-subject-token is introduced in v3, so only setups using v3 keystone apis are affected.
All OpenStack services using keystone client for authentication and debug log level are affected
Service affected are:
glance
neutron
cinder
heat
ceilometer
nova
keystone
neutron
Example, I tried to list servers from nova using "nova list” command, then it records following log message in the nova-api.log
nova-api.log
{{{
2014-09-18 15:48:14.491 20940 DEBUG keystoneclient.
2014-09-18 15:48:14.533 20940 DEBUG keystoneclient.
}}}
I can then simply use x-subject-token': ‘7574276dc55f45
{{{
openstack@ubuntu:~$ curl -i 'http://
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 15
X-Compute-
Date: Thu, 18 Sep 2014 22:58:56 GMT
{"servers": []}
}}}
Changed in ossa: | |
status: | Incomplete → Won't Fix |
information type: | Private Security → Public Security |
information type: | Public Security → Public |
tags: | added: security |
Changed in python-keystoneclient: | |
assignee: | nobody → Tushar Patil (tpatil) |
status: | New → In Progress |
Changed in python-keystoneclient: | |
assignee: | Tushar Patil (tpatil) → Ankit Agrawal (ankitagrawal) |
Changed in python-keystoneclient: | |
importance: | Undecided → Medium |
Changed in python-keystoneclient: | |
milestone: | none → 0.11.2 |
Changed in python-keystoneclient: | |
status: | Fix Committed → Fix Released |
Hi, thanks for the report!
Leaks in DEBUG mode are not considered a vulnerability, thus it's better to switch to public security and handle this in the open.