[OSSA 2014-004] sensitive info in image location is logged when authentication to single tenant swift store fails (CVE-2014-1948)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Glance |
High
|
Nikhil Komawar | ||
| Havana |
High
|
Nikhil Komawar | ||
| OpenStack Security Advisory |
High
|
Jeremy Stanley |
Bug Description
WARNING glance.store [-] Get image <UUID> data from {'url': u'swift+https:/
19:13:05.027 ERROR glance.store [-] Glance tried all locations to get data for image <UUID> but all have failed.
CVE References
Changed in glance: | |
importance: | Undecided → Critical |
Changed in ossa: | |
status: | New → Incomplete |
Changed in glance: | |
status: | New → Confirmed |
description: | updated |
Thierry Carrez (ttx) wrote : | #1 |
Nikhil Komawar (nikhil-komawar) wrote : | #2 |
ttx: +1
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → High |
Jeremy Stanley (fungi) wrote : | #3 |
Confirmed, this is similar to OSSA 2013-031. Proposed impact description (based on that one for now)...
----
Title: Glance store backend password leak
Reporter: Nikhil Komawar (Rackspace)
Products: Glance
Affects: All supported versions
Description:
Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the store backend is logged at WARNING level as part of the URL when authentication to the requested store fails. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance store backend. Only Glance setups using the store backend are affected.
----
Changed in ossa: | |
status: | Confirmed → Triaged |
assignee: | nobody → Jeremy Stanley (fungi) |
An user can upload an image to glance with a --location swift-url, using his own swift account. Maybe the leak is not the default swift store present in /etc/glance/
Also it is not clear what can make the authentication request to fail. Is it a connection problem, or when the user change his password ?
@nikhil komawar can you confirm the proposed description ?
Nikhil Komawar (nikhil-komawar) wrote : | #5 |
This error was happening on the default (operator) swift store account.
Logging happens at this part of the code: https:/
The case when I saw this was: when the call was happening while a user token was being used to get image data for an image that is publicized using the export task functionality. (The code is not upstream yet). However, the user does not have the right context to use that image.
Haven't had a chance to explore more permutations of invalid context for the user when this line would be logged. In any case, I believe that we should remove logging such sensitive info from the code.
Changed in glance: | |
assignee: | nobody → nikhil komawar (nikhil-komawar) |
Nikhil Komawar (nikhil-komawar) wrote : | #6 |
Guess this was not observed as this bug is private:-
https:/
Changed in glance: | |
status: | Confirmed → In Progress |
Thierry Carrez (ttx) wrote : | #7 |
+1 on description. Should it mention "Swift store" rather than "store" ?
information type: | Private Security → Public Security |
Changed in glance: | |
importance: | Critical → High |
milestone: | none → icehouse-3 |
@nikhil-komawar Can you also backport this to Havana and Grizzly please ?
Jeremy Stanley (fungi) wrote : | #9 |
Nikhil: Right, if the intent was to report the issue in private then any fixes should have been attached as patches directly to the bug instead of submitting to public code review. Ultimately it's up to the discretion of the bug reporter as to whether we observe an embargo period on the report and discuss the vulnerability and fixes in private, or whether it is reported/fixed in public.
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit f6e41e9c0ff3aa9
Author: Nikhil Komawar <email address hidden>
Date: Wed Feb 5 18:39:53 2014 -0500
Removes logging of location uri
This patch removes logging of sensitive store location uri, which
is logged when an exception occurs while trying to get the object
from the store or due to a failure in getting the store api due to
unauthorized context.
fixes bug 1275062
Change-Id: I679baa0897f242
Changed in glance: | |
status: | In Progress → Fix Committed |
Fix proposed to branch: stable/havana
Review: https:/
@nikhil: any chance you could propose this patch for stable/grizzly as well ?
Jeremy Stanley (fungi) wrote : | #13 |
Is grizzly actually impacted? It looks like this log line was introduced in https:/
Here's an updated impact description incorporating Thierry's suggestion from comment #7 along with our recently revised format and my guess above about affected versions. I'll go ahead and request a CVE on the oss-security for this if nobody objects.
----
Title: Glance Swift store backend password leak
Reporter: Nikhil Komawar (Rackspace)
Products: Glance
Versions: 2013.2 versions up to 2013.2.1
Description:
Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the Swift store backend is logged at WARNING level as part of the URL when authentication to the requested store fails. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance Swift store backend. Only Glance setups using the Swift store backend are affected.
Fix proposed to branch: stable/havana
Review: https:/
Nikhil Komawar (nikhil-komawar) wrote : Re: image location is logged when authentication to store fails | #15 |
Thanks for pointing that out ttx, however we do not have this issue in stable/grizzly.
Please find the code for grizzly here: https:/
Nikhil Komawar (nikhil-komawar) wrote : | #16 |
The MP for stable/havana has been moved to https:/
Stuart McLaren (stuart-mclaren) wrote : | #18 |
A very minor nit on the description.
There are two flavours of Swift store: Single Tenant and Multi Tenant. Typically in the case of Multi Tenant no credentials are stored in the location field. If set_image_location is disabled by policy then there is no credentials leak for Multi Tenant mode. I wonder if something like the following should be considered:
"Only Glance setups which use the Swift store are affected. In the case of a Multi Tenant Swift "
"store where 'set_image_
"Swift store backend an attacker with access to the logs (local shell, log aggregation system access, "
"or accidental leak) may potentially leverage this vulnerability to elevate privileges and gain "
"full direct access to the Glance Swift store backend. In the case of both Single and Multi Tenant Swift "
"store backends where the set_image_location policy is not disabled, an attacker with access "
"to the logs may potentially access any credentials contained in locations which have "
"been explicitly set by any user. "
Jeremy Stanley (fungi) wrote : | #19 |
I concede to not being familiar enough with Swift's various deployment models, but do worry about getting overly specific about identifying affected configurations. The goal is to provide enough detail that the lowest-
----
Title: Glance Swift store backend password leak
Reporter: Nikhil Komawar (Rackspace)
Products: Glance
Versions: 2013.2 versions up to 2013.2.1
Description:
Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the Swift store backend is logged at WARNING level as part of the URL when authentication to a store fails if image location is not disabled by policy or the store is a single-tenant configuration. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance Swift store backend. Only Glance setups using the Swift store backend are affected.
Nikhil Komawar (nikhil-komawar) wrote : | #20 |
+1 on fungi's proposal, please let me know if someone has concerns. Will change the description after 4 or so hours.
Jeremy Stanley (fungi) wrote : | #21 |
I wouldn't worry too much about updating the bug description. My comment was more so as to finalize the wording which we'll be using the the CVE request and subsequent security advisory.
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/havana
commit 108f0e04ad2ed3d
Author: Nikhil Komawar <email address hidden>
Date: Wed Feb 5 18:39:53 2014 -0500
Removes logging of location uri
This patch removes logging of sensitive store location uri, which
is logged when an exception occurs while trying to get the object
from the store or due to a failure in getting the store api due to
unauthorized context.
fixes bug 1275062
Change-Id: I679baa0897f242
summary: |
- image location is logged when authentication to store fails + sensitive info in image location is logged when authentication to single + tenant swift store fails |
Changed in ossa: | |
status: | Triaged → In Progress |
Thierry Carrez (ttx) wrote : Re: sensitive info in image location is logged when authentication to single tenant swift store fails | #23 |
All set for publication
Jeremy Stanley (fungi) wrote : | #24 |
Except awaiting CVE assignment (sent to oss-security ML about 12 hours ago).
Jeremy Stanley (fungi) wrote : | #25 |
According to MITRE this gets CVE-2014-1948, but Launchpad doesn't yet think that's a real CVE number so I haven't linked it.
Changed in ossa: | |
status: | In Progress → Fix Committed |
summary: |
sensitive info in image location is logged when authentication to single - tenant swift store fails + tenant swift store fails (CVE-2014-1948) |
summary: |
- sensitive info in image location is logged when authentication to single - tenant swift store fails (CVE-2014-1948) + [OSSA 2014-004] sensitive info in image location is logged when + authentication to single tenant swift store fails (CVE-2014-1948) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | icehouse-3 → 2014.1 |
I think we should have an OSSA here. Others thought ?