[OSSA 2013-031] Ceilometer log contains DB password in plain text (CVE-2013-6384)

Bug #1244476 reported by Eric Brown on 2013-10-25
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Julien Danjou
Julien Danjou
OpenStack Security Advisory
Thierry Carrez

Bug Description

Both impl_db2.py and impl_mongodb.py log the password used to access the database by printing out the connection string from ceilometer.conf. The database connection configuration parameter is usually marked secret because it contains this password.


Typically, this ends up getting written to /var/log/ceilometer/api.log. This file is world read, thereby giving any user on the system access to the ceilometer user and password used to connect with the database and potentially more.

For example:
2013-10-22 15:33:41.244 10537 INFO ceilometer.storage.impl_db2 [-] connecting to MongoDB on mongodb://ceilometer:fe85b844214814b95a0b@

where "ceilometer" is the user and "fe85b844214814b95a0b" is the password.

I recommend removing this line or at least masking out the password part.
LOG.info('connecting to MongoDB on %s', url)

CVE References

Julien Danjou (jdanjou) on 2013-10-25
tags: added: havana-backport-potential
Changed in ceilometer:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Julien Danjou (jdanjou)
milestone: none → icehouse-1
Thierry Carrez (ttx) wrote :

Given that this are non-DEBUG logs, I'd tend to publish an OSSA about this.

Changed in ossa:
status: New → Incomplete
Julien Danjou (jdanjou) on 2013-10-31
Changed in ceilometer:
status: Triaged → In Progress
Jeremy Stanley (fungi) wrote :

Yes, I agree this meets the criteria for an advisory. We should issue an OSSA given that Ceilometer is no longer in incubation.

Thierry Carrez (ttx) on 2013-11-15
Changed in ossa:
importance: Undecided → Medium
status: Incomplete → Confirmed
Thierry Carrez (ttx) wrote :

Patch is public, cat out of bag etc

information type: Private Security → Public Security
Thierry Carrez (ttx) wrote :
Changed in ceilometer:
status: In Progress → Fix Committed
Thierry Carrez (ttx) wrote :

Proposed impact description, please check that it's accurately describing the issue:

Title: Ceilometer DB2/MongoDB backend password leak
Reporter: Eric Brown (IBM)
Products: Ceilometer
Affects: All supported versions

Eric Brown from IBM reported an information leak in Ceilometer logs. The password for the DB2 or MongoDB backends was logged at INFO level in the ceilometer-api logs. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB backends are affected.

Changed in ossa:
assignee: nobody → Thierry Carrez (ttx)
status: Confirmed → Triaged
Jeremy Stanley (fungi) wrote :

This impact description looks accurate to me.

In this case "all supported versions" only means Havana because Ceilometer did not graduate from incubation prior to the Grizzly release?

Thierry Carrez (ttx) wrote :

fungi: yes :)

Thierry Carrez (ttx) wrote :

CVE requested

Changed in ossa:
status: Triaged → In Progress
Thierry Carrez (ttx) on 2013-11-22
Changed in ossa:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/56396
Committed: http://github.com/openstack/ceilometer/commit/ef6c659588feff646343fd80ba3d420d9c06404b
Submitter: Jenkins
Branch: stable/havana

commit ef6c659588feff646343fd80ba3d420d9c06404b
Author: Julien Danjou <email address hidden>
Date: Wed Oct 30 15:49:33 2013 +0100

    mongodb, db2: do not print full URL in logs

    The full URL used to connect to MongoDB or DB2 might contains sensitive
    information such as username and password, so it's better to not print
    it at all.
    Instead, just print the hosts that are being connected to.

    Fixes-Bug: #1244476

    (cherry picked from commit f2e651181f0016e96a123556aba46bd8d91e0012)

    Change-Id: I4390020d24386df38b1fae32aeeb657456142abd

Thierry Carrez (ttx) wrote :

[OSSA 2013-031]

summary: - Ceilometer log contains DB password in plain text
+ [OSSA 2013-031] Ceilometer log contains DB password in plain text
+ (CVE-2013-6384)
Changed in ossa:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-12-04
Changed in ceilometer:
status: Fix Committed → Fix Released
Alan Pevec (apevec) on 2013-12-09
tags: removed: havana-backport-potential
Thierry Carrez (ttx) on 2014-04-17
Changed in ceilometer:
milestone: icehouse-1 → 2014.1
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers