[OSSA 2014-004] sensitive info in image location is logged when authentication to single tenant swift store fails (CVE-2014-1948)

I think we should have an OSSA here. Others thought ?

ttx: +1

Confirmed, this is similar to OSSA 2013-031. Proposed impact description (based on that one for now)...
----
Title: Glance store backend password leak
Reporter: Nikhil Komawar (Rackspace)
Products: Glance
Affects: All supported versions

Description:
Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the store backend is logged at WARNING level as part of the URL when authentication to the requested store fails. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance store backend. Only Glance setups using the store backend are affected.
----

An user can upload an image to glance with a --location swift-url, using his own swift account. Maybe the leak is not the default swift store present in /etc/glance/glance-api.conf but the user account.

Also it is not clear what can make the authentication request to fail. Is it a connection problem, or when the user change his password ?

@nikhil komawar can you confirm the proposed description ?

This error was happening on the default (operator) swift store account.

Logging happens at this part of the code: https://github.com/openstack/glance/blob/master/glance/store/__init__.py#L716

The case when I saw this was: when the call was happening while a user token was being used to get image data for an image that is publicized using the export task functionality. (The code is not upstream yet). However, the user does not have the right context to use that image.

Haven't had a chance to explore more permutations of invalid context for the user when this line would be logged. In any case, I believe that we should remove logging such sensitive info from the code.

Guess this was not observed as this bug is private:-
https://review.openstack.org/#/c/71419/

+1 on description. Should it mention "Swift store" rather than "store" ?

@nikhil-komawar Can you also backport this to Havana and Grizzly please ?

Nikhil: Right, if the intent was to report the issue in private then any fixes should have been attached as patches directly to the bug instead of submitting to public code review. Ultimately it's up to the discretion of the bug reporter as to whether we observe an embargo period on the report and discuss the vulnerability and fixes in private, or whether it is reported/fixed in public.

Reviewed: https://review.openstack.org/71419
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=f6e41e9c0ff3aa9ee57b8c8ed8c789f1aff019bc
Submitter: Jenkins
Branch: master

commit f6e41e9c0ff3aa9ee57b8c8ed8c789f1aff019bc
Author: Nikhil Komawar <email address hidden>
Date: Wed Feb 5 18:39:53 2014 -0500

    Removes logging of location uri

    This patch removes logging of sensitive store location uri, which
    is logged when an exception occurs while trying to get the object
    from the store or due to a failure in getting the store api due to
    unauthorized context.

    fixes bug 1275062

    Change-Id: I679baa0897f242f4b8372c9c1c7ab28ae811f5e5

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/71643

@nikhil: any chance you could propose this patch for stable/grizzly as well ?

Is grizzly actually impacted? It looks like this log line was introduced in https://review.openstack.org/35734 which only appears in release tags 2013.2 and 2013.2.1...

Here's an updated impact description incorporating Thierry's suggestion from comment #7 along with our recently revised format and my guess above about affected versions. I'll go ahead and request a CVE on the oss-security for this if nobody objects.

----

Title: Glance Swift store backend password leak
Reporter: Nikhil Komawar (Rackspace)
Products: Glance
Versions: 2013.2 versions up to 2013.2.1

Description:
Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the Swift store backend is logged at WARNING level as part of the URL when authentication to the requested store fails. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance Swift store backend. Only Glance setups using the Swift store backend are affected.

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/72473

Thanks for pointing that out ttx, however we do not have this issue in stable/grizzly.

Please find the code for grizzly here: https://github.com/openstack/glance/blob/stable/grizzly/glance/store/__init__.py#L393

The MP for stable/havana has been moved to https://review.openstack.org/#/c/72473/ following a comment on the old one. (old MP https://review.openstack.org/71643 is abandoned now).

+1 for impact description

A very minor nit on the description.

There are two flavours of Swift store: Single Tenant and Multi Tenant. Typically in the case of Multi Tenant no credentials are stored in the location field. If set_image_location is disabled by policy then there is no credentials leak for Multi Tenant mode. I wonder if something like the following should be considered:

 "Only Glance setups which use the Swift store are affected. In the case of a Multi Tenant Swift "
 "store where 'set_image_location' is disabled by policy there is no vulnerability. In the case of a Single Tenant "
 "Swift store backend an attacker with access to the logs (local shell, log aggregation system access, "
 "or accidental leak) may potentially leverage this vulnerability to elevate privileges and gain "
 "full direct access to the Glance Swift store backend. In the case of both Single and Multi Tenant Swift "
 "store backends where the set_image_location policy is not disabled, an attacker with access "
 "to the logs may potentially access any credentials contained in locations which have "
 "been explicitly set by any user. "

I concede to not being familiar enough with Swift's various deployment models, but do worry about getting overly specific about identifying affected configurations. The goal is to provide enough detail that the lowest-common-denominator operator/sysadmin can determine whether they should upgrade/apply the patch, without getting into the weeds and without being so verbose that they stop reading (which usually happens after the first few sentences). How about...

----

Title: Glance Swift store backend password leak
Reporter: Nikhil Komawar (Rackspace)
Products: Glance
Versions: 2013.2 versions up to 2013.2.1

Description:
Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the Swift store backend is logged at WARNING level as part of the URL when authentication to a store fails if image location is not disabled by policy or the store is a single-tenant configuration. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance Swift store backend. Only Glance setups using the Swift store backend are affected.

+1 on fungi's proposal, please let me know if someone has concerns. Will change the description after 4 or so hours.

I wouldn't worry too much about updating the bug description. My comment was more so as to finalize the wording which we'll be using the the CVE request and subsequent security advisory.

Reviewed: https://review.openstack.org/72473
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=108f0e04ad2ed3dc287f1b71b987a7e9d66072ba
Submitter: Jenkins
Branch: stable/havana

commit 108f0e04ad2ed3dc287f1b71b987a7e9d66072ba
Author: Nikhil Komawar <email address hidden>
Date: Wed Feb 5 18:39:53 2014 -0500

    Removes logging of location uri

    This patch removes logging of sensitive store location uri, which
    is logged when an exception occurs while trying to get the object
    from the store or due to a failure in getting the store api due to
    unauthorized context.

    fixes bug 1275062

    Change-Id: I679baa0897f242f4b8372c9c1c7ab28ae811f5e5

All set for publication

Except awaiting CVE assignment (sent to oss-security ML about 12 hours ago).

According to MITRE this gets CVE-2014-1948, but Launchpad doesn't yet think that's a real CVE number so I haven't linked it.