Setting debug mode also causes Pecan to run in debug mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ceilometer |
Fix Released
|
Critical
|
Jim Rollenhagen | ||
Cue |
Fix Committed
|
Critical
|
Vipul Sabhaya | ||
Gnocchi |
Fix Released
|
Undecided
|
Chris Dent | ||
Ironic |
Fix Released
|
Critical
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Robert Clark |
Bug Description
When debug mode is set (via --debug or CONF.debug=True), pecan is also put into debug mode. In debug mode, pecan serves HTML for every 500 that:
1) gives the full traceback
2) gives the full list of environment variables
3) allows the user to retry the request with a breakpoint inserted, which locks up the service in a pdb shell
This means that running the API service in debug mode can result in both system information leaks (which could contain secrets) and a denial of service.
Ironic is not the only service affected in this way; ceilometer's pecan_debug option defaults to CONF.debug, and the following projects also use CONF.debug to set pecan's debug mode:
openstack/tuskar
openstack/kite
openstack-
stackforge/libra
stackforge/blazar
stackforge/cue
This is not an exhaustive list, but I believe I have checked all openstack/ projects and did a fairly thorough search on Github. Ryan Petrello and Doug Hellman helped to make this list.
Related branches
Changed in ironic: | |
status: | New → Confirmed |
Changed in ceilometer: | |
status: | New → Triaged |
importance: | Undecided → Critical |
milestone: | none → kilo-3 |
Changed in ossa: | |
status: | Won't Fix → Incomplete |
Changed in ironic: | |
importance: | Undecided → Critical |
status: | Confirmed → Triaged |
milestone: | none → kilo-3 |
Changed in ceilometer: | |
assignee: | nobody → Jim Rollenhagen (jim-rollenhagen) |
status: | Triaged → In Progress |
Changed in gnocchi: | |
assignee: | gordon chung (chungg) → Chris Dent (chdent) |
Changed in cue: | |
importance: | Undecided → Critical |
Changed in cue: | |
assignee: | nobody → Vipul Sabhaya (vipuls) |
Changed in ceilometer: | |
status: | Fix Committed → Fix Released |
Changed in ironic: | |
status: | Fix Committed → Fix Released |
Changed in gnocchi: | |
status: | Fix Committed → Fix Released |
milestone: | none → 1.0.0a1 |
Changed in ceilometer: | |
milestone: | kilo-3 → 2015.1.0 |
Changed in ironic: | |
milestone: | kilo-3 → 2015.1.0 |
Changed in cue: | |
milestone: | none → 1.0.0 |
DEBUG mode related leak have not been considered as a vulnerability and didn't warrant an advisory. Moreover Ironic nor the other mentioned project are part of the security supported project.
Feel free to remove the private security settings if it makes sense.