python-keystoneclient

Keystone client logs x-subject-token at the debug log level

Bug #1371355 reported by Tushar Patil on 2014-09-19

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned
	python-keystoneclient	Fix Released	Medium	Ankit Agrawal	python-keystoneclient 0.11.2

Bug Description

When you invoke any OpenStack API of any of the OpenStack services listed below, then it logs readable x-subject-token as a debug log message in the respective log file.

x-subject-token is introduced in v3, so only setups using v3 keystone apis are affected.

All OpenStack services using keystone client for authentication and debug log level are affected
Service affected are:
glance
neutron
cinder
heat
ceilometer
nova
keystone
neutron

Example, I tried to list servers from nova using "nova list” command, then it records following log message in the nova-api.log

nova-api.log
{{{
2014-09-18 15:48:14.491 20940 DEBUG keystoneclient.session [-] REQ: curl -i -X GET http://10.69.4.172:35357/v3/auth/tokens -H "X-Subject-Token: TOKEN_REDACTED" -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: TOKEN_REDACTED" _http_log_request /opt/stack/python-keystoneclient/keystoneclient/session.py:153

2014-09-18 15:48:14.533 20940 DEBUG keystoneclient.session [-] RESP: [200] CaseInsensitiveDict({'content-length': '7113', 'x-subject-token': '7574276dc55f45878f18e14396dcf7f5', 'vary': 'X-Auth-Token', 'server': 'Apache/2.4.7 (Ubuntu)', 'date': 'Thu, 18 Sep 2014 22:48:14 GMT', 'content-type': 'application/json’})
}}}

I can then simply use x-subject-token': ‘7574276dc55f45878f18e14396dcf7f5 as X-auth-token in the curl command and access tenant’s information.

{{{
openstack@ubuntu:~$ curl -i 'http://10.69.4.172:8774/v2/d8a8252b035b4c18bee9215292485f78/servers/detail' -X GET -H "Accept: application/json" -H "X-Auth-Project-Id: demo" -H "X-Auth-Token: 7574276dc55f45878f18e14396dcf7f5"

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 15
X-Compute-Request-Id: req-20ad9134-0c61-46de-91a1-da89283a057d
Date: Thu, 18 Sep 2014 22:58:56 GMT
{"servers": []}

}}}

Tags:

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-09-19:

Hi, thanks for the report!

Leaks in DEBUG mode are not considered a vulnerability, thus it's better to switch to public security and handle this in the open.

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-09-19:

I propose we open this one Monday, if nobody complained before.

Changed in ossa:
status:	New → Incomplete

Thierry Carrez (ttx) on 2014-09-22

Changed in ossa:
status:	Incomplete → Won't Fix
information type:	Private Security → Public Security
information type:	Public Security → Public
tags:	added: security

Tushar Patil (tpatil) on 2014-09-22

Changed in python-keystoneclient:
assignee:	nobody → Tushar Patil (tpatil)
status:	New → In Progress

Ankit Agrawal (ankitagrawal) on 2014-09-23

Changed in python-keystoneclient:
assignee:	Tushar Patil (tpatil) → Ankit Agrawal (ankitagrawal)

Revision history for this message

Nathan Kinder (nkinder) wrote on 2014-09-24:

It looks like the request side of this was taken care of in the following review:

https://review.openstack.org/#/c/110117

It appears that the response side remains exposed. It needs similar 'TOKEN_REDACTED' logic to be implemented.

Revision history for this message

Brant Knudson (blk-u) wrote on 2014-09-24:

The problem is in keystoneclient, it's logged in _http_log_response: http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/session.py#n158

There's already code in _http_log_request that redacts the token in the requests: http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/session.py#n158

So the code in _http_log_request needs to be shared with _http_log_response.

Revision history for this message

Tushar Patil (tpatil) wrote on 2014-09-24:

Ankit has identified what changes are required as pointed out by Brant and he will push the patch by tomorrow.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-25: Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/123954

Morgan Fainberg (mdrnstm) on 2014-09-26

Changed in python-keystoneclient:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-30: Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/123954
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=ebeca911fa291e258c2c0b1ef55a26ff5ac009d2
Submitter: Jenkins
Branch: master

commit ebeca911fa291e258c2c0b1ef55a26ff5ac009d2
Author: ankitagrawal <email address hidden>
Date: Fri Sep 19 04:46:11 2014 -0700

Redact x-subject-token from response headers

    When you invoke any OpenStack API of any of the OpenStack services
    e.g. glance, neutron, cinder, heat, ceilometer, nova, keystone
    then it logs readable x-subject-token at the debug log level in the
    respective log files.

Simply redacting the x-subject-token in keystone client response header
before logging it.

    SecurityImpact
    Closes-Bug: #1371355
    Change-Id: Iac16c6358250677544761beea9f5c5d8ba29afac

Changed in python-keystoneclient:
status:	In Progress → Fix Committed

Morgan Fainberg (mdrnstm) on 2014-10-23

Changed in python-keystoneclient:
milestone:	none → 0.11.2

Morgan Fainberg (mdrnstm) on 2014-10-23

Changed in python-keystoneclient:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.