OpenStack Dashboard (Horizon)

operation log: user passwords are logged by default setting

Bug #1744609 reported by Akihiro Motoki on 2018-01-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Undecided	Akihiro Motoki	OpenStack Dashboard (Horizon) queens-rc1
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

If the operation log is enabled (disabled by default) and the default value of OPERATION_LOG_OPTIONS['mask_fields'] is used, when a user tries to change his/her password from "Change Password" panel (http://<dashboard-site>/settings/password/), both current and new passwords will be logged in the operation log like below.
The same thing happens in "Change Password" action in the Identity User panel.
----
[None] [None] [demo] [d65075f0e4964b8d9ccb57ddcce8fbbb] [admin] [c90eec6eb48d4bcc988e8cebf9ce80fa] [http] [/settings/password/] [/settings/password/] [error: Unauthorized: Unable to change password., error: Unauthorized. Please try logging in again.] [POST] [403] [{"fake_email": "", "fake_password": "", "new_password": "NEW-PASSWORD", "confirm_password": "NEW-PASSWORD", "current_password": "CURRENT-PASSWORD", "csrfmiddlewaretoken": "SEuuWLJlUPNUZzC6aCQkIQxyFuQPCjcahqnuZ8CYthDd4GNr76UC5EQYTAZzbdeo"}]
----

The default value of OPERATION_LOG_OPTIONS['mask_fields'] should include "current_password", "new_password" and "confirm_password".

Operators who enable the operation log feature are recommended to set OPERATION_LOG_OPTIONS['mask_fields'] to ['password', 'current_password', 'new_password', 'confirm_password'] in local_settings.py.

Tags:

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2018-01-21:

This is a bug of logging, so I think this can be public, but I would like to wait for the decision from the security team.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2018-01-22:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status:	New → Incomplete
description:	updated

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2018-01-22:

This looks like a class B1 type of bug https://security.openstack.org/vmt-process.html#incident-report-taxonomy, and because of it's nature (e.g. not remotely exploitable) I agree this can be made public.

Akihiro Motoki (amotoki) on 2018-01-31

information type:	Private Security → Public Security
Changed in horizon:
milestone:	queens-3 → queens-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-31: Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/539534

Changed in horizon:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-01: Fix merged to horizon (master)

Reviewed: https://review.openstack.org/539534
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=1941d34e5cecf33090e73665034a8196b220e690
Submitter: Zuul
Branch: master

commit 1941d34e5cecf33090e73665034a8196b220e690
Author: Akihiro Motoki <email address hidden>
Date: Mon Jan 22 09:20:16 2018 +0900

operation_log: Mask more password fields by default

Change-Id: I69283a2b692d1fca93aad1d5ed26a29de4e0e4a9
Closes-Bug: #1744609

Changed in horizon:
status:	In Progress → Fix Released

Tristan Cacqueray (tristan-cacqueray) on 2018-02-01

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-09: Fix included in openstack/horizon 13.0.0.0rc1

This issue was fixed in the openstack/horizon 13.0.0.0rc1 release candidate.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2018-02-15:

Seeing no objection to report class B1, I'm marking our OSSA task as won't fix. We can revisit if a case is made for class A with backported fixes.

Changed in ossa:
status:	Incomplete → Won't Fix

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-16: Fix proposed to horizon (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/545432

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-16: Fix proposed to horizon (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/545433

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-17: Fix merged to horizon (stable/pike)

#10

Reviewed: https://review.openstack.org/545432
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=63fd51cdd85197d756f27cb9d9fc3ec44d862aef
Submitter: Zuul
Branch: stable/pike

commit 63fd51cdd85197d756f27cb9d9fc3ec44d862aef
Author: Akihiro Motoki <email address hidden>
Date: Mon Jan 22 09:20:16 2018 +0900

operation_log: Mask more password fields by default

    Change-Id: I69283a2b692d1fca93aad1d5ed26a29de4e0e4a9
    Closes-Bug: #1744609
    (cherry picked from commit 1941d34e5cecf33090e73665034a8196b220e690)

tags:	added: in-stable-pike
tags:	added: in-stable-ocata

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-17: Fix merged to horizon (stable/ocata)

#11

Reviewed: https://review.openstack.org/545433
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=d564ef499bacd3537e4d4bd22796037d6bf16f2d
Submitter: Zuul
Branch: stable/ocata

commit d564ef499bacd3537e4d4bd22796037d6bf16f2d
Author: Akihiro Motoki <email address hidden>
Date: Mon Jan 22 09:20:16 2018 +0900

operation_log: Mask more password fields by default

    Change-Id: I69283a2b692d1fca93aad1d5ed26a29de4e0e4a9
    Closes-Bug: #1744609
    (cherry picked from commit 1941d34e5cecf33090e73665034a8196b220e690)

Jeremy Stanley (fungi) on 2018-02-17