[SRU] ceilometer writing snmp credentials to log file

Bug #1811098 reported by Edward Hope-Morley on 2019-01-09
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ceilometer
Undecided
Edward Hope-Morley
Ubuntu Cloud Archive
Status tracked in Stein
Ocata
High
Unassigned
Pike
High
Unassigned
Queens
High
Unassigned
Rocky
High
Unassigned
Stein
High
Unassigned
ceilometer (Ubuntu)
High
Unassigned
Bionic
High
Unassigned
Cosmic
High
Unassigned
Disco
High
Unassigned

Bug Description

[Impact]
This SRU proposal is to patch the Ubuntu ceilometer package so that the ceilometer-agent switches printing the contents of polling.yaml from INFO to DEBUG. This is mostly an interim fix to make it easy to stop the presence of sensitive data in the ceilometer logfiles when DEBUG logging is not activated. Another bug will be raised to propose sanitising the data printed.

[Test Case]
* deploy Openstack Q/R/S with ceilometer
* enable debug logging
* check that /var/log/ceilometer/ceilometer-agent-central.log contains a line similar to:

2019-01-09 11:40:50.641 25495 DEBUG ceilometer.agent [-] Config file: {'sources': [{'interval': 300, 'meters'...

i.e. ensure that the log is printed using DEBUG (not INFO)

[Regression Potential]
Users with debug mode disabled will no longer see this line.

----

The ceilometer-agent-central is always writing the contents of polling.yaml to its log file (and as INFO) [1]

This presents a security risk if e.g. resources contain sensitive information like when specifying snmp targets with the url containing the username, password etc.

There are a couple of ways we could solve this, namely; (1) don't log this info at all, (2) sanitise the contents prior to logging as DEBUG (3) switch to using config for the snmp credentials in a similar way to how the Triple0Discoverer does it [2] - this would only support having the same creds everywhere thought which may not be desirable.

[1] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/agent.py#L70
[2] https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/hardware/discovery.py#L24

CVE References

Changed in ceilometer:
assignee: nobody → Edward Hope-Morley (hopem)

Fix proposed to branch: master
Review: https://review.openstack.org/629891

Changed in ceilometer:
status: New → In Progress
tags: added: sts sts-sru-needed
Edward Hope-Morley (hopem) wrote :
Edward Hope-Morley (hopem) wrote :
summary: - ceilometer writing snmp credentials to log file
+ [SRU] ceilometer writing snmp credentials to log file
affects: ubuntu → ceilometer (Ubuntu)

The attachment "lp1811098-stein.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
description: updated
Changed in ceilometer (Ubuntu Bionic):
importance: Undecided → High
status: New → Triaged
Changed in ceilometer (Ubuntu Cosmic):
importance: Undecided → High
status: New → Triaged
Changed in ceilometer (Ubuntu Disco):
importance: Undecided → High
status: New → Triaged
information type: Public → Private Security
Corey Bryant (corey.bryant) wrote :

Note there is a public fix proposed for this issue.

Jeremy Stanley (fungi) wrote :

While reports of suspected vulnerabilities for ceilometer aren't officially overseen by the OpenStack vulnerability management team, we're happy to provide guidance in such matters. I've subscribed the Ceilometer Core security reviewers to the report, to improve visibility among them while it's set as private.

Given the fixes for this were proposed in public, and the bug was also opened initially public and remained so for a week, there's probably not much point in maintaining an embargo for this report and so should just follow open/public vulnerability management process at this stage.

A quick look at the reported defect and associated patches, it seems fairly straightforward. This is in line with what the OpenStack VMT would consider a class A report in our taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy As such, I'd recommend publishing some sort of Ceilometer notice or advisory about the issue once backports for all supported stable branches have merged.

Corey Bryant (corey.bryant) wrote :

This has been sponsored and uploaded to disco, cosmic and bionic and is awaiting SRU team review in the cosmic and bionic unapproved queues.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ceilometer - 1:12.0.0~b1~git2018111615.da95ab99-0ubuntu2

---------------
ceilometer (1:12.0.0~b1~git2018111615.da95ab99-0ubuntu2) disco; urgency=medium

  * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098)
    - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch

 -- Edward Hope-Morley <email address hidden> Fri, 11 Jan 2019 11:54:23 +0000

Changed in ceilometer (Ubuntu Disco):
status: Triaged → Fix Released

Hello Edward, or anyone else affected,

Accepted ceilometer into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ceilometer/1:11.0.1-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

information type: Private Security → Public Security
Changed in ceilometer (Ubuntu Cosmic):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Changed in ceilometer (Ubuntu Bionic):
status: Triaged → Fix Committed
tags: added: verification-needed-bionic
Brian Murray (brian-murray) wrote :

Hello Edward, or anyone else affected,

Accepted ceilometer into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ceilometer/1:10.0.1-0ubuntu0.18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

James Page (james-page) wrote :

Hello Edward, or anyone else affected,

Accepted ceilometer into rocky-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:rocky-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-rocky-needed to verification-rocky-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-rocky-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-rocky-needed
Edward Hope-Morley (hopem) wrote :

cosmic-proposed verified using [Test Case].

tags: added: verification-done-cosmic
removed: verification-needed-cosmic
Edward Hope-Morley (hopem) wrote :

bionic-proposed verified using [Test Case].

tags: added: verification-done-bionic
removed: verification-needed-bionic
Edward Hope-Morley (hopem) wrote :

rocky-proposed verified using [Test Case].

tags: added: verification-done verification-rocky-done
removed: verification-needed verification-rocky-needed
Nick Tait (nickthetait) wrote :

I agree with VMT's rating of class A. Will a CVE be requested for this?

Jeremy Stanley (fungi) wrote :

A CVE can be requested by anyone for any defect. The OpenStack VMT doesn't generally request CVEs for projects it doesn't oversee, but we have a brief overview of what we'd generally recommend putting in MITRE's CVE Request form documented at https://security.openstack.org/vmt-process.html#send-cve-request if you're interested in following a similar process. Note that for an already-public report like this one, there are fewer bits to worry about (the process documentation attempts to call out the difference between what you'd do for still private embargoed reports vs already public reports).

The verification of the Stable Release Update for ceilometer has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ceilometer - 1:11.0.1-0ubuntu2

---------------
ceilometer (1:11.0.1-0ubuntu2) cosmic; urgency=medium

  * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098)
    - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch

 -- Edward Hope-Morley <email address hidden> Fri, 11 Jan 2019 18:14:54 +0000

Changed in ceilometer (Ubuntu Cosmic):
status: Fix Committed → Fix Released

Hello Edward, or anyone else affected,

Accepted ceilometer into queens-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:queens-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-queens-needed to verification-queens-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-queens-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-queens-needed
Nick Tait (nickthetait) wrote :

This flaw has been assigned as CVE-2019-3830 https://access.redhat.com/security/cve/cve-2019-3830

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ceilometer - 1:10.0.1-0ubuntu0.18.04.2

---------------
ceilometer (1:10.0.1-0ubuntu0.18.04.2) bionic; urgency=medium

  * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098)
    - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch

 -- Edward Hope-Morley <email address hidden> Fri, 11 Jan 2019 18:16:31 +0000

Changed in ceilometer (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for ceilometer has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package ceilometer - 1:11.0.1-0ubuntu2~cloud0
---------------

 ceilometer (1:11.0.1-0ubuntu2~cloud0) bionic-rocky; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 ceilometer (1:11.0.1-0ubuntu2) cosmic; urgency=medium
 .
   * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098)
     - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch

Edward Hope-Morley (hopem) wrote :

queens-proposed verified using [Test Case].

tags: added: verification-queens-done
removed: verification-queens-needed
Corey Bryant (corey.bryant) wrote :

The verification of the Stable Release Update for ceilometer has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package ceilometer - 1:10.0.1-0ubuntu0.18.04.2~cloud0
---------------

 ceilometer (1:10.0.1-0ubuntu0.18.04.2~cloud0) xenial-queens; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 ceilometer (1:10.0.1-0ubuntu0.18.04.2) bionic; urgency=medium
 .
   * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098)
     - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch

tags: added: sts-sru-done
removed: sts-sru-needed

This issue was fixed in the openstack/ceilometer 12.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers