Cinder

Infortrend driver logs password in commands

Bug #1708547 reported by Walt Boring
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Medium
Walt Boring

Bug Description

The Infortrend driver's cli_factory constructs a command to execute, which can include a password. When the command fails, the cli_factory logs the entire command line to the log file, leaving the password in clear text.

password line
https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/infortrend/raidcmd_cli/cli_factory.py#L173-L175

command logged
https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/infortrend/raidcmd_cli/cli_factory.py#L221-L226

Tags: security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/490674

Changed in cinder:
assignee: nobody → Walt Boring (walter-boring)
status: New → In Progress
Walt Boring (walter-boring)
Changed in cinder:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/490674
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=af0b0082de8556e6923634986567b42c94fc31b3
Submitter: Jenkins
Branch: master

commit af0b0082de8556e6923634986567b42c94fc31b3
Author: Walter A. Boring IV <email address hidden>
Date: Thu Aug 3 23:05:34 2017 +0000

    Infortrend mask password logging

    This patch fixes a problem when a cli command is executed and fails, the
    driver logs the entire command including the password in clear text.
    This patch makes sure that the password is masked out.

    Change-Id: I4984b994bde4c5aa3a8914f06f5cfc8205f0f4d8
    Closes-Bug: 1708547

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 11.0.0.0rc1

This issue was fixed in the openstack/cinder 11.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.