glance_store

leak access_key in logs

Bug #2047688 reported by lujiefsi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
glance_store
Fix Released
Undecided
lujiefsi
Revision history for this message
lujiefsi (lujiefsi) wrote (last edit ):

any update for this issue?

lujiefsi (lujiefsi)
information type: Private Security → Public
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance_store (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/glance_store/+/906087

Changed in glance-store:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance_store (master)

Reviewed: https://review.opendev.org/c/openstack/glance_store/+/906087
Committed: https://opendev.org/openstack/glance_store/commit/a5ba027922ba1230b4ae9abb810f36427be6354a
Submitter: "Zuul (22348)"
Branch: master

commit a5ba027922ba1230b4ae9abb810f36427be6354a
Author: lujie <email address hidden>
Date: Fri Jan 19 13:12:20 2024 +0800

    Do not show access_key in s3 driver

    Closes-Bug: #2047688
    Change-Id: I9193df38d613259b61bb369fa1040fb2c51a21d7

Changed in glance-store:
status: In Progress → Fix Released
lujiefsi (lujiefsi)
Changed in glance-store:
assignee: nobody → lujiefsi (lujiefsi)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to glance_store (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/glance_store/+/906185

Revision history for this message
Takashi Kajinami (kajinamit) wrote :

The fix is incomplete and we have to fix a few more places. See the related change above.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to glance_store (master)

Reviewed: https://review.opendev.org/c/openstack/glance_store/+/906185
Committed: https://opendev.org/openstack/glance_store/commit/d6e531af4821c8466b1e9404f12f89f6216417f2
Submitter: "Zuul (22348)"
Branch: master

commit d6e531af4821c8466b1e9404f12f89f6216417f2
Author: Takashi Kajinami <email address hidden>
Date: Sun Jan 21 02:09:05 2024 +0900

    s3: Do not log access keys

    The previous attempt a5ba027922ba1230b4ae9abb810f36427be6354a was
    incomplete and there are still a few more logs where access keys are
    logged. This fixes these to avoid leaking access keys to log.

    Related-Bug: #2047688
    Change-Id: I8dc564bed33d6fc71965f4f573ae9109b410b1d4

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to glance_store (stable/2023.2)

Related fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/glance_store/+/906481

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance_store (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/glance_store/+/906484

Revision history for this message
lujiefsi (lujiefsi) wrote :

Can I apply for a CVE ? Since many such similar vulnerabilities in OpenStack have been granted CVEs.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance_store (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/glance_store/+/907733

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to glance_store (stable/2023.1)

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/glance_store/+/907734

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance_store (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/glance_store/+/907736

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to glance_store (stable/zed)

Related fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/glance_store/+/907737

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance_store (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/glance_store/+/907738

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to glance_store (stable/yoga)

Related fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/glance_store/+/907739

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on glance_store (stable/yoga)

Change abandoned by "Brian Rosmaita <email address hidden>" on branch: stable/yoga
Review: https://review.opendev.org/c/openstack/glance_store/+/907738
Reason: As discussed at today's Glance meeting [0], this patch will be abandoned and re-proposed to unmaintained/yoga

[0] https://meetings.opendev.org/meetings/glance/2024/glance.2024-02-08-14.00.log.html

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by "Brian Rosmaita <email address hidden>" on branch: stable/yoga
Review: https://review.opendev.org/c/openstack/glance_store/+/907739
Reason: As discussed at today's Glance meeting [0], this patch will be abandoned and re-proposed to unmaintained/yoga

[0] https://meetings.opendev.org/meetings/glance/2024/glance.2024-02-08-14.00.log.html

Revision history for this message
Jeremy Stanley (fungi) wrote :

Sorry for not weighing in on this sooner, but I only just stumbled across this when spotting an unfamiliar-looking security advisory issued by Ubuntu and then discovered that private security bug reports for glance_store were not set to be automatically shared with the OpenStack vulnerability managers. I've used access through our admin group to add this now, so we hopefully shouldn't miss similar reports in the future.

Thanks for reporting this. Judging from the fix which was merged, this only logs credentials at DEBUG log level, and sharing debug logs with untrusted parties is strongly discouraged. The VMT considers this a class B3 report per our taxonomy so won't be issuing any official advisory: https://security.openstack.org/vmt-process.html#report-taxonomy

Changed in ossa:
status: New → Won't Fix
tags: added: security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on glance_store (stable/2023.2)

Change abandoned by "Brian Rosmaita <email address hidden>" on branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/glance_store/+/906481
Reason: This change has been squashed into https://review.opendev.org/c/openstack/glance_store/+/906484

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on glance_store (stable/2023.1)

Change abandoned by "Brian Rosmaita <email address hidden>" on branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/glance_store/+/907734
Reason: No longer needed; see https://review.opendev.org/c/openstack/glance_store/+/906484

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on glance_store (stable/zed)

Change abandoned by "Brian Rosmaita <email address hidden>" on branch: stable/zed
Review: https://review.opendev.org/c/openstack/glance_store/+/907737
Reason: No longer needed; see https://review.opendev.org/c/openstack/glance_store/+/906484

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance_store (unmaintained/yoga)

Fix proposed to branch: unmaintained/yoga
Review: https://review.opendev.org/c/openstack/glance_store/+/909173

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/glance_store 4.7.0

This issue was fixed in the openstack/glance_store 4.7.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance_store (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/glance_store/+/907736
Committed: https://opendev.org/openstack/glance_store/commit/f7f87019adbcdb069ea23ccb7b3e187cb52eaf55
Submitter: "Zuul (22348)"
Branch: stable/zed

commit f7f87019adbcdb069ea23ccb7b3e187cb52eaf55
Author: lujie <email address hidden>
Date: Fri Jan 19 13:12:20 2024 +0800

    Do not show access_key in s3 driver

    Avoid possible leakage of s3 access keys by not including them in log
    messages.

    This patch includes commit d6e531af4821c8466b1e9404f12f89f6216417f2
    (change I8dc564bed33d6fc71965f4f573ae9109b410b1d4), which addressed
    some more log messages that the original patch had missed.

    The two commits are squashed here for ease in backporting (and also
    to make sure that *both* are always backported).

    Closes-Bug: #2047688
    Change-Id: I9193df38d613259b61bb369fa1040fb2c51a21d7
    (cherry picked from commit a5ba027922ba1230b4ae9abb810f36427be6354a)
    (cherry picked from commit 1583aebb69befea3173396ea161cf896b7d51beb)
    (cherry picked from commit 45ad5df01fa7062ba7d3ec99966531623e35ab57)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance_store (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/glance_store/+/907733
Committed: https://opendev.org/openstack/glance_store/commit/45ad5df01fa7062ba7d3ec99966531623e35ab57
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 45ad5df01fa7062ba7d3ec99966531623e35ab57
Author: lujie <email address hidden>
Date: Fri Jan 19 13:12:20 2024 +0800

    Do not show access_key in s3 driver

    Avoid possible leakage of s3 access keys by not including them in log
    messages.

    This patch includes commit d6e531af4821c8466b1e9404f12f89f6216417f2
    (change I8dc564bed33d6fc71965f4f573ae9109b410b1d4), which addressed
    some more log messages that the original patch had missed.

    The two commits are squashed here for ease in backporting (and also
    to make sure that *both* are always backported).

    Closes-Bug: #2047688
    Change-Id: I9193df38d613259b61bb369fa1040fb2c51a21d7
    (cherry picked from commit a5ba027922ba1230b4ae9abb810f36427be6354a)
    (cherry picked from commit 1583aebb69befea3173396ea161cf896b7d51beb)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance_store (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/glance_store/+/906484
Committed: https://opendev.org/openstack/glance_store/commit/1583aebb69befea3173396ea161cf896b7d51beb
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 1583aebb69befea3173396ea161cf896b7d51beb
Author: lujie <email address hidden>
Date: Fri Jan 19 13:12:20 2024 +0800

    Do not show access_key in s3 driver

    Avoid possible leakage of s3 access keys by not including them in log
    messages.

    This patch includes commit d6e531af4821c8466b1e9404f12f89f6216417f2
    (change I8dc564bed33d6fc71965f4f573ae9109b410b1d4), which addressed
    some more log messages that the original patch had missed.

    The two commits are squashed here for ease in backporting (and also
    to make sure that *both* are always backported).

    Closes-Bug: #2047688
    Change-Id: I9193df38d613259b61bb369fa1040fb2c51a21d7
    (cherry picked from commit a5ba027922ba1230b4ae9abb810f36427be6354a)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance_store (unmaintained/yoga)

Reviewed: https://review.opendev.org/c/openstack/glance_store/+/909173
Committed: https://opendev.org/openstack/glance_store/commit/cb75bcb06bc870d0debcd210c4d0144a5688e76e
Submitter: "Zuul (22348)"
Branch: unmaintained/yoga

commit cb75bcb06bc870d0debcd210c4d0144a5688e76e
Author: lujie <email address hidden>
Date: Fri Jan 19 13:12:20 2024 +0800

    Do not show access_key in s3 driver

    Avoid possible leakage of s3 access keys by not including them in log
    messages.

    This patch includes commit d6e531af4821c8466b1e9404f12f89f6216417f2
    (change I8dc564bed33d6fc71965f4f573ae9109b410b1d4), which addressed
    some more log messages that the original patch had missed.

    The two commits are squashed here for ease in backporting (and also
    to make sure that *both* are always backported).

    Closes-Bug: #2047688
    Change-Id: I9193df38d613259b61bb369fa1040fb2c51a21d7
    (cherry picked from commit a5ba027922ba1230b4ae9abb810f36427be6354a)
    (cherry picked from commit 1583aebb69befea3173396ea161cf896b7d51beb)
    (cherry picked from commit 45ad5df01fa7062ba7d3ec99966531623e35ab57)
    (cherry picked from commit f7f87019adbcdb069ea23ccb7b3e187cb52eaf55)

tags: added: in-unmaintained-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/glance_store 4.3.3

This issue was fixed in the openstack/glance_store 4.3.3 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.