Ceilometer

[OSSA 2013-031] Ceilometer log contains DB password in plain text (CVE-2013-6384)

Bug #1244476 reported by Eric Brown on 2013-10-25

260

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Ceilometer	Fix Released	High	Julien Danjou	Ceilometer 2014.1 "icehouse"
Havana	Fix Released	High	Julien Danjou	Ceilometer 2013.2.1
OpenStack Security Advisory	Fix Released	Medium	Thierry Carrez

Bug Description

Both impl_db2.py and impl_mongodb.py log the password used to access the database by printing out the connection string from ceilometer.conf. The database connection configuration parameter is usually marked secret because it contains this password.

https://github.com/openstack/ceilometer/blob/master/ceilometer/storage/impl_db2.py#L156
https://github.com/openstack/ceilometer/blob/master/ceilometer/storage/impl_mongodb.py#L158

Typically, this ends up getting written to /var/log/ceilometer/api.log. This file is world read, thereby giving any user on the system access to the ceilometer user and password used to connect with the database and potentially more.

For example:
2013-10-22 15:33:41.244 10537 INFO ceilometer.storage.impl_db2 [-] connecting to MongoDB on mongodb://ceilometer:fe85b844214814b95a0b@127.0.0.1:27017/ceilometer

where "ceilometer" is the user and "fe85b844214814b95a0b" is the password.

I recommend removing this line or at least masking out the password part.
LOG.info('connecting to MongoDB on %s', url)

CVE References

2013-6384

Julien Danjou (jdanjou) on 2013-10-25

tags:	added: havana-backport-potential
Changed in ceilometer:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Julien Danjou (jdanjou)
milestone:	none → icehouse-1

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-28:

Given that this are non-DEBUG logs, I'd tend to publish an OSSA about this.

Changed in ossa:
status:	New → Incomplete

Julien Danjou (jdanjou) on 2013-10-31

Changed in ceilometer:
status:	Triaged → In Progress

Revision history for this message

Jeremy Stanley (fungi) wrote on 2013-11-14:

Yes, I agree this meets the criteria for an advisory. We should issue an OSSA given that Ceilometer is no longer in incubation.

Thierry Carrez (ttx) on 2013-11-15

Changed in ossa:
importance:	Undecided → Medium
status:	Incomplete → Confirmed

Revision history for this message

Julien Danjou (jdanjou) wrote on 2013-11-20:

https://review.openstack.org/#/c/56396/

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-11-20:

Patch is public, cat out of bag etc

information type:

Private Security → Public Security

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-11-20:

In master as of https://review.openstack.org/#/c/54553/

Changed in ceilometer:
status:	In Progress → Fix Committed

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-11-21:

Proposed impact description, please check that it's accurately describing the issue:

---------------------
Title: Ceilometer DB2/MongoDB backend password leak
Reporter: Eric Brown (IBM)
Products: Ceilometer
Affects: All supported versions

Description:
Eric Brown from IBM reported an information leak in Ceilometer logs. The password for the DB2 or MongoDB backends was logged at INFO level in the ceilometer-api logs. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB backends are affected.

Changed in ossa:
assignee:	nobody → Thierry Carrez (ttx)
status:	Confirmed → Triaged

Revision history for this message

Jeremy Stanley (fungi) wrote on 2013-11-21:

This impact description looks accurate to me.

In this case "all supported versions" only means Havana because Ceilometer did not graduate from incubation prior to the Grizzly release?

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-11-22:

fungi: yes :)

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-11-22:

CVE requested

Changed in ossa:
status:	Triaged → In Progress

Thierry Carrez (ttx) on 2013-11-22

Changed in ossa:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-22: Fix merged to ceilometer (stable/havana)

#10

Reviewed: https://review.openstack.org/56396
Committed: http://github.com/openstack/ceilometer/commit/ef6c659588feff646343fd80ba3d420d9c06404b
Submitter: Jenkins
Branch: stable/havana

commit ef6c659588feff646343fd80ba3d420d9c06404b
Author: Julien Danjou <email address hidden>
Date: Wed Oct 30 15:49:33 2013 +0100

mongodb, db2: do not print full URL in logs

    The full URL used to connect to MongoDB or DB2 might contains sensitive
    information such as username and password, so it's better to not print
    it at all.
    Instead, just print the hosts that are being connected to.

Fixes-Bug: #1244476

(cherry picked from commit f2e651181f0016e96a123556aba46bd8d91e0012)

Change-Id: I4390020d24386df38b1fae32aeeb657456142abd

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-11-25:

#11

[OSSA 2013-031]

summary:	- Ceilometer log contains DB password in plain text + [OSSA 2013-031] Ceilometer log contains DB password in plain text + (CVE-2013-6384)
Changed in ossa:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-12-04

Changed in ceilometer:
status:	Fix Committed → Fix Released

Alan Pevec (apevec) on 2013-12-09

tags:

removed: havana-backport-potential

Thierry Carrez (ttx) on 2014-04-17

Changed in ceilometer:
milestone:	icehouse-1 → 2014.1

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.