2015-04-20 22:44:07 |
Eric Brown |
bug |
|
|
added bug |
2015-04-20 23:02:13 |
Jeremy Stanley |
description |
The auth_encryption_key is a shared secret option used for encryption and decryption within Heat. Passwords, key values, and other secrets in heat.conf should be marked secret so that the data isn't exposed in the logs.
Steps to Recreate:
- Set a super secret value of auth_encryption_key in heat.conf
- Set debug = True in heat.conf
- Restart the heat services
- grep the logs in /var/log/heat/* for auth_encryption_key value
- Notice the secrets do appear in a world readable log location.
root@controller01:/home/viouser# grep auth_encryption_key /var/log/heat/*
/var/log/heat/heat-api-cfn.log:2015-04-20 20:52:28.239 22423 DEBUG heat-api-cfn [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-api-cloudwatch.log:2015-04-20 20:52:18.362 22392 DEBUG heat-api-cloudwatch [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-api-cloudwatch.log:2015-04-20 20:52:21.667 22404 DEBUG heat-api-cloudwatch [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-api.log:2015-04-20 20:52:15.890 22380 DEBUG heat-api [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-engine.log:2015-04-20 20:52:11.638 22366 DEBUG heat.openstack.common.service [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994 |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
The auth_encryption_key is a shared secret option used for encryption and decryption within Heat. Passwords, key values, and other secrets in heat.conf should be marked secret so that the data isn't exposed in the logs.
Steps to Recreate:
- Set a super secret value of auth_encryption_key in heat.conf
- Set debug = True in heat.conf
- Restart the heat services
- grep the logs in /var/log/heat/* for auth_encryption_key value
- Notice the secrets do appear in a world readable log location.
root@controller01:/home/viouser# grep auth_encryption_key /var/log/heat/*
/var/log/heat/heat-api-cfn.log:2015-04-20 20:52:28.239 22423 DEBUG heat-api-cfn [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-api-cloudwatch.log:2015-04-20 20:52:18.362 22392 DEBUG heat-api-cloudwatch [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-api-cloudwatch.log:2015-04-20 20:52:21.667 22404 DEBUG heat-api-cloudwatch [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-api.log:2015-04-20 20:52:15.890 22380 DEBUG heat-api [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-engine.log:2015-04-20 20:52:11.638 22366 DEBUG heat.openstack.common.service [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994 |
|
2015-04-20 23:02:30 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2015-04-20 23:02:40 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2015-04-20 23:02:54 |
Jeremy Stanley |
bug |
|
|
added subscriber Heat Core security contacts |
2015-04-21 05:51:36 |
Angus Salkeld |
heat: status |
New |
Triaged |
|
2015-04-21 05:51:42 |
Angus Salkeld |
heat: importance |
Undecided |
High |
|
2015-04-21 05:52:00 |
Angus Salkeld |
tags |
|
kilo-rc-potential |
|
2015-04-21 05:52:49 |
Angus Salkeld |
heat: assignee |
|
Angus Salkeld (asalkeld) |
|
2015-04-21 05:52:53 |
Angus Salkeld |
heat: milestone |
|
liberty-1 |
|
2015-04-21 05:57:58 |
Angus Salkeld |
attachment added |
|
auth_encryption_key.patch https://bugs.launchpad.net/heat/+bug/1446408/+attachment/4380331/+files/auth_encryption_key.patch |
|
2015-04-21 06:34:56 |
Angus Salkeld |
heat: assignee |
Angus Salkeld (asalkeld) |
|
|
2015-04-21 06:35:55 |
Angus Salkeld |
heat: assignee |
|
Eric Brown (ericwb) |
|
2015-04-21 06:36:15 |
Angus Salkeld |
heat: status |
Triaged |
In Progress |
|
2015-04-21 14:34:22 |
Jeremy Stanley |
information type |
Private Security |
Public |
|
2015-04-21 14:34:35 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
The auth_encryption_key is a shared secret option used for encryption and decryption within Heat. Passwords, key values, and other secrets in heat.conf should be marked secret so that the data isn't exposed in the logs.
Steps to Recreate:
- Set a super secret value of auth_encryption_key in heat.conf
- Set debug = True in heat.conf
- Restart the heat services
- grep the logs in /var/log/heat/* for auth_encryption_key value
- Notice the secrets do appear in a world readable log location.
root@controller01:/home/viouser# grep auth_encryption_key /var/log/heat/*
/var/log/heat/heat-api-cfn.log:2015-04-20 20:52:28.239 22423 DEBUG heat-api-cfn [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-api-cloudwatch.log:2015-04-20 20:52:18.362 22392 DEBUG heat-api-cloudwatch [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-api-cloudwatch.log:2015-04-20 20:52:21.667 22404 DEBUG heat-api-cloudwatch [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-api.log:2015-04-20 20:52:15.890 22380 DEBUG heat-api [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-engine.log:2015-04-20 20:52:11.638 22366 DEBUG heat.openstack.common.service [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994 |
The auth_encryption_key is a shared secret option used for encryption and decryption within Heat. Passwords, key values, and other secrets in heat.conf should be marked secret so that the data isn't exposed in the logs.
Steps to Recreate:
- Set a super secret value of auth_encryption_key in heat.conf
- Set debug = True in heat.conf
- Restart the heat services
- grep the logs in /var/log/heat/* for auth_encryption_key value
- Notice the secrets do appear in a world readable log location.
root@controller01:/home/viouser# grep auth_encryption_key /var/log/heat/*
/var/log/heat/heat-api-cfn.log:2015-04-20 20:52:28.239 22423 DEBUG heat-api-cfn [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-api-cloudwatch.log:2015-04-20 20:52:18.362 22392 DEBUG heat-api-cloudwatch [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-api-cloudwatch.log:2015-04-20 20:52:21.667 22404 DEBUG heat-api-cloudwatch [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-api.log:2015-04-20 20:52:15.890 22380 DEBUG heat-api [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994
/var/log/heat/heat-engine.log:2015-04-20 20:52:11.638 22366 DEBUG heat.openstack.common.service [-] auth_encryption_key = notgood but just long enough i think log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1994 |
|
2015-04-21 14:36:20 |
Jeremy Stanley |
heat: status |
In Progress |
Fix Committed |
|
2015-04-22 23:28:29 |
Angus Salkeld |
nominated for series |
|
heat/kilo |
|
2015-04-22 23:28:29 |
Angus Salkeld |
bug task added |
|
heat/kilo |
|
2015-04-22 23:28:39 |
Angus Salkeld |
heat/kilo: status |
New |
Triaged |
|
2015-04-22 23:28:42 |
Angus Salkeld |
heat/kilo: importance |
Undecided |
Medium |
|
2015-04-22 23:28:47 |
Angus Salkeld |
heat/kilo: milestone |
|
kilo-rc2 |
|
2015-04-23 06:20:47 |
Angus Salkeld |
heat/kilo: status |
Triaged |
In Progress |
|
2015-04-23 06:21:38 |
Angus Salkeld |
heat/kilo: assignee |
|
Eric Brown (ericwb) |
|
2015-04-23 08:01:20 |
OpenStack Infra |
heat/kilo: status |
In Progress |
Fix Committed |
|
2015-04-23 11:37:58 |
Thierry Carrez |
heat/kilo: status |
Fix Committed |
Fix Released |
|
2015-04-23 12:00:25 |
Thierry Carrez |
tags |
kilo-rc-potential |
|
|
2015-04-27 14:25:57 |
Jeremy Stanley |
ossa: status |
Incomplete |
Invalid |
|
2015-04-30 10:05:47 |
Thierry Carrez |
heat/kilo: milestone |
kilo-rc2 |
2015.1.0 |
|
2015-06-24 12:45:04 |
Thierry Carrez |
heat: status |
Fix Committed |
Fix Released |
|
2015-10-15 10:17:40 |
Thierry Carrez |
heat: milestone |
liberty-1 |
5.0.0 |
|