OpenStack Identity (keystone)

admin_token and LDAP password show up in log in DEBUG mode

Bug #1172195 reported by Thierry Carrez on 2013-04-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Xu Han Peng	OpenStack Identity (keystone) 2013.2 "havana"
	Grizzly	Fix Released	Low	Adam Gandelman	OpenStack Identity (keystone) 2013.1.1

Bug Description

This is a by-product of bug 1168252.

Keystone auth_token and LDAP password are not market "secret" so they appear in DEBUG level logs:

(keystone-all): 2013-04-23 23:17:09,101 DEBUG cfg log_opt_values admin_token = 111222333444
(keystone-all): 2013-04-23 23:17:09,108 DEBUG cfg log_opt_values ldap.password = None

Tags:

CVE References

2013-2006

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-04-24:

Kurt assigned CVE-2013-2006 for the OpenStack keystone LDAP password disclosure in log files

http://openwall.com/lists/oss-security/2013/04/24/1

tags:

added: security

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-04-24:

https://review.openstack.org/#/c/26826/

OpenStack Infra (hudson-openstack) on 2013-04-25

Changed in keystone:
assignee:	nobody → Xu Han Peng (xuhanp)
status:	New → In Progress

Alan Pevec (apevec) on 2013-04-25

tags:

added: grizzly-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-04-25: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/26826
Committed: http://github.com/openstack/keystone/commit/d43e2a51a1ed7adbed3c5ddf001d46bc4a824ae8
Submitter: Jenkins
Branch: master

commit d43e2a51a1ed7adbed3c5ddf001d46bc4a824ae8
Author: Xuhan Peng <email address hidden>
Date: Fri Apr 12 16:19:37 2013 +0800

Mark LDAP password and admin_token secret

Add secret=True to LDAP password and admin_token
of keystone configuration.

Fix bug #1172195

Change-Id: I8ef7f705e3f6b374ff427c20eb761892d5146a75

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-01: Fix proposed to keystone (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/27980

Alan Pevec (apevec) on 2013-05-02

Changed in keystone:
importance:	Undecided → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-02: Fix merged to keystone (stable/grizzly)

Reviewed: https://review.openstack.org/27980
Committed: http://github.com/openstack/keystone/commit/c5037dd6b82909efaaa8720e8cfa8bdb8b4a0edd
Submitter: Jenkins
Branch: stable/grizzly

commit c5037dd6b82909efaaa8720e8cfa8bdb8b4a0edd
Author: Xuhan Peng <email address hidden>
Date: Fri Apr 12 16:19:37 2013 +0800

Mark LDAP password and admin_token secret

Add secret=True to LDAP password and admin_token
of keystone configuration.

Fix bug #1172195

Change-Id: I8ef7f705e3f6b374ff427c20eb761892d5146a75
(cherry picked from commit d43e2a51a1ed7adbed3c5ddf001d46bc4a824ae8)

Adam Gandelman (gandelman-a) on 2013-05-02

tags:

removed: grizzly-backport-potential

Thierry Carrez (ttx) on 2013-05-29

Changed in keystone:
milestone:	none → havana-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in keystone:
milestone:	havana-1 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.