auth_encryption_key option should be secret
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
Eric Brown | ||
Kilo |
Fix Released
|
Medium
|
Eric Brown | ||
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The auth_encryption_key is a shared secret option used for encryption and decryption within Heat. Passwords, key values, and other secrets in heat.conf should be marked secret so that the data isn't exposed in the logs.
Steps to Recreate:
- Set a super secret value of auth_encryption_key in heat.conf
- Set debug = True in heat.conf
- Restart the heat services
- grep the logs in /var/log/heat/* for auth_encryption_key value
- Notice the secrets do appear in a world readable log location.
root@controller
/var/log/
/var/log/
/var/log/
/var/log/
/var/log/
Changed in heat: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: kilo-rc-potential |
Changed in heat: | |
assignee: | nobody → Angus Salkeld (asalkeld) |
milestone: | none → liberty-1 |
Changed in heat: | |
assignee: | Angus Salkeld (asalkeld) → nobody |
assignee: | nobody → Eric Brown (ericwb) |
status: | Triaged → In Progress |
tags: | removed: kilo-rc-potential |
Changed in heat: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
milestone: | liberty-1 → 5.0.0 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.