OpenStack Compute (nova)

nova log expose password when swapvolume

Bug #1761054 reported by jichenjc
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
jichenjc
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

http://logs.openstack.org/50/557150/6/check/tempest-full/1f9c9f2/controller/logs/screen-n-cpu.txt.gz#_Mar_30_08_37_13_371323

u'auth_password': u'8KigD3KKykJkJixs', u'auth_username': u'6m4wAHCZVqFfTQaF4eZu',

jichenjc (jichenjc)
Changed in nova:
assignee: nobody → jichenjc (jichenjc)
tags: added: security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/558694

Changed in nova:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/558694
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=1b61d6c08c7c86834acab45320230824b88d529c
Submitter: Zuul
Branch: master

commit 1b61d6c08c7c86834acab45320230824b88d529c
Author: jichenjc <email address hidden>
Date: Wed Apr 4 13:26:01 2018 +0800

    Avoid showing password in log

    per bug indicated, the password is shown in the log.

    https://github.com/openstack/oslo.utils/blob/master/oslo_utils/strutils.py#L295
    indicated auth_password can be masked through mask_password method.

    Change-Id: I725eea1866642b40cc6b065ed0e8aefb91ca2889
    Closes-Bug: 1761054

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/559603

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/561850

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/561851

Jeremy Stanley (fungi)
Changed in ossa:
status: New → Won't Fix
Revision history for this message
Jeremy Stanley (fungi) wrote :

Adding a "won't fix" state for security advisory publication, as the vulnerability management team considers information leaks in DEBUG level logs as "a vulnerability in experimental or debugging features not intended for production use" (class B3 in the report taxonomy): https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/queens)

Reviewed: https://review.openstack.org/559603
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=df90dfd5cdf76c65b8d8a539d79e384c82c8428c
Submitter: Zuul
Branch: stable/queens

commit df90dfd5cdf76c65b8d8a539d79e384c82c8428c
Author: jichenjc <email address hidden>
Date: Wed Apr 4 13:26:01 2018 +0800

    Avoid showing password in log

    per bug indicated, the password is shown in the log.

    https://github.com/openstack/oslo.utils/blob/master/oslo_utils/strutils.py#L295
    indicated auth_password can be masked through mask_password method.

    Change-Id: I725eea1866642b40cc6b065ed0e8aefb91ca2889
    Closes-Bug: 1761054
    (cherry picked from commit 1b61d6c08c7c86834acab45320230824b88d529c)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 18.0.0.0b1

This issue was fixed in the openstack/nova 18.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 17.0.3

This issue was fixed in the openstack/nova 17.0.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/pike)

Reviewed: https://review.openstack.org/561850
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=978066fe31a5331f143a05e1fd753c729b2dcf09
Submitter: Zuul
Branch: stable/pike

commit 978066fe31a5331f143a05e1fd753c729b2dcf09
Author: jichenjc <email address hidden>
Date: Wed Apr 4 13:26:01 2018 +0800

    Avoid showing password in log

    per bug indicated, the password is shown in the log.

    https://github.com/openstack/oslo.utils/blob/master/oslo_utils/strutils.py#L295
    indicated auth_password can be masked through mask_password method.

    Conflicts:
            nova/compute/manager.py

    NOTE(lyarwood): Conflicts caused by Ica323b87fa85a454fca9d46ada3677f18fe50022
    and Ifc01dbf98545104c998ab96f65ff8623a6db0f28 not being present in Pike.
    Additionally If12e7860baad2899380f06144a0270784a5466b8 was not present
    in Queens but landed in Pike and Ocata as a stable only change.

    Change-Id: I725eea1866642b40cc6b065ed0e8aefb91ca2889
    Closes-Bug: 1761054
    (cherry picked from commit 1b61d6c08c7c86834acab45320230824b88d529c)
    (cherry picked from commit df90dfd5cdf76c65b8d8a539d79e384c82c8428c)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/ocata)

Reviewed: https://review.openstack.org/561851
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=c17516f3999447ad0d4ec7ecd8f223f6468b693a
Submitter: Zuul
Branch: stable/ocata

commit c17516f3999447ad0d4ec7ecd8f223f6468b693a
Author: jichenjc <email address hidden>
Date: Wed Apr 4 13:26:01 2018 +0800

    Avoid showing password in log

    per bug indicated, the password is shown in the log.

    https://github.com/openstack/oslo.utils/blob/master/oslo_utils/strutils.py#L295
    indicated auth_password can be masked through mask_password method.

    Conflicts:
            nova/compute/manager.py

    NOTE(lyarwood): Conflicts caused by Ica323b87fa85a454fca9d46ada3677f18fe50022
    and Ifc01dbf98545104c998ab96f65ff8623a6db0f28 not being present in Pike.
    Additionally If12e7860baad2899380f06144a0270784a5466b8 was not present
    in Queens but landed in Pike and Ocata as a stable only change.

    Change-Id: I725eea1866642b40cc6b065ed0e8aefb91ca2889
    Closes-Bug: 1761054
    (cherry picked from commit 1b61d6c08c7c86834acab45320230824b88d529c)
    (cherry picked from commit df90dfd5cdf76c65b8d8a539d79e384c82c8428c)
    (cherry picked from commit 978066fe31a5331f143a05e1fd753c729b2dcf09)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 15.1.3

This issue was fixed in the openstack/nova 15.1.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 16.1.5

This issue was fixed in the openstack/nova 16.1.5 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.