Running Flask server in debug mode may be a security issue

Bug #1506419 reported by Dmitry Tantsur on 2015-10-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic Inspector
Fix Released
High
Dmitry Tantsur
Kilo
Fix Released
High
Dmitry Tantsur
Liberty
Fix Released
High
Dmitry Tantsur
Mitaka
Fix Released
High
Dmitry Tantsur
OpenStack Security Advisory
Undecided
Unassigned

Bug Description

A lot of people default to running their servers in debug mode. While handy for getting the full logs, in our case it will also allow access to Flask console, which may pose a security risk. We need a separate option for this.

CVE References

Fix proposed to branch: master
Review: https://review.openstack.org/235258

Changed in ironic-inspector:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/235258
Committed: https://git.openstack.org/cgit/openstack/ironic-inspector/commit/?id=77d0052c5133034490386fbfadfdb1bdb49aa44f
Submitter: Jenkins
Branch: master

commit 77d0052c5133034490386fbfadfdb1bdb49aa44f
Author: Dmitry Tantsur <email address hidden>
Date: Thu Oct 15 12:51:23 2015 +0200

    Never run Flask application with debug mode

    Flask server in debug mode allows users to execute any Python code
    on a server, which is a security issue for us.

    Change-Id: I9e12510b0abb04182e85bf3f73cdad29e1f8d382
    Closes-Bug: #1506419

Changed in ironic-inspector:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/235856
Committed: https://git.openstack.org/cgit/openstack/ironic-inspector/commit/?id=2c64da2bee6eeea27c08eb7a94894feaa5494910
Submitter: Jenkins
Branch: stable/liberty

commit 2c64da2bee6eeea27c08eb7a94894feaa5494910
Author: Dmitry Tantsur <email address hidden>
Date: Thu Oct 15 12:51:23 2015 +0200

    Never run Flask application with debug mode

    Flask server in debug mode allows users to execute any Python code
    on a server, which is a security issue for us.

    Change-Id: I9e12510b0abb04182e85bf3f73cdad29e1f8d382
    Closes-Bug: #1506419
    (cherry picked from commit 77d0052c5133034490386fbfadfdb1bdb49aa44f)

Jeremy Stanley (fungi) wrote :

Added a "won't fix" security advisory task for this and marked it as a hardening opportunity (class D in https://security.openstack.org/vmt-process.html#incident-report-taxonomy ) due to being an sensitive information disclosure occurring only in DEBUG level logs.

Changed in ossa:
status: New → Won't Fix
tags: added: security
Jeremy Stanley (fungi) wrote :

Sorry, as Garth Mollett pointed out to me via E-mail, this is not simply an information disclosure but instead a backdoor. Probably the closest prior report I've seen is bug 1425206.

Though also, Ironic is not currently under OpenStack VMT oversight[*], so take this as guidance for how I would have classified it were that not actually the case.

[*] http://governance.openstack.org/reference/tags/vulnerability_managed.html

Garth Mollett (gmollett) wrote :

CVE-2015-5306 OpenStack Ironic: Potential remote code execution with debug mode enabled.
Has been assigned to this issue.

Reviewed: https://review.openstack.org/238007
Committed: https://git.openstack.org/cgit/openstack/ironic-inspector/commit/?id=7ca56201897d8288b1acaafeccd9469840f73dcf
Submitter: Jenkins
Branch: stable/1.1

commit 7ca56201897d8288b1acaafeccd9469840f73dcf
Author: Dmitry Tantsur <email address hidden>
Date: Wed Oct 21 13:56:34 2015 +0200

    Never run Flask in debug mode, it poses a security risk

    Change-Id: I0c0c192bc75f42cfb070059f1764a0837ae956bb
    Closes-Bug: #1506419

Mark Goddard (mgoddard) wrote :

For the sake of documentation, another good reason not to run in debug mode is that it causes Flask to create a second process to monitor changes to the file system. The eventlet greenthreads for periodic clean up and firewall update tasks end up running in both processes, breaking the synchronisation in the firewall module. If the periodic firewall update runs in the parent process at the same time as an introspection callback API is handled in the main process, the two can interact, and cause unexpected errors, leading to inspection failure.

Dmitry Tantsur (divius) wrote :

Mark, great catch! I think we saw this problem already.

This issue was fixed in the openstack/ironic-inspector 2.3.0 release.

Changed in ironic-inspector:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers