OpenStack Identity (Keystone)

admin_token and LDAP password show up in log in DEBUG mode

Reported by Thierry Carrez on 2013-04-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Keystone
Low
Xu Han Peng
Grizzly
Low
Adam Gandelman

Bug Description

This is a by-product of bug 1168252.

Keystone auth_token and LDAP password are not market "secret" so they appear in DEBUG level logs:

(keystone-all): 2013-04-23 23:17:09,101 DEBUG cfg log_opt_values admin_token = 111222333444
(keystone-all): 2013-04-23 23:17:09,108 DEBUG cfg log_opt_values ldap.password = None

CVE References

Thierry Carrez (ttx) wrote :

Kurt assigned CVE-2013-2006 for the OpenStack keystone LDAP password disclosure in log files

http://openwall.com/lists/oss-security/2013/04/24/1

tags: added: security
Changed in keystone:
assignee: nobody → Xu Han Peng (xuhanp)
status: New → In Progress
Alan Pevec (apevec) on 2013-04-25
tags: added: grizzly-backport-potential

Reviewed: https://review.openstack.org/26826
Committed: http://github.com/openstack/keystone/commit/d43e2a51a1ed7adbed3c5ddf001d46bc4a824ae8
Submitter: Jenkins
Branch: master

commit d43e2a51a1ed7adbed3c5ddf001d46bc4a824ae8
Author: Xuhan Peng <email address hidden>
Date: Fri Apr 12 16:19:37 2013 +0800

    Mark LDAP password and admin_token secret

    Add secret=True to LDAP password and admin_token
    of keystone configuration.

    Fix bug #1172195

    Change-Id: I8ef7f705e3f6b374ff427c20eb761892d5146a75

Changed in keystone:
status: In Progress → Fix Committed
Alan Pevec (apevec) on 2013-05-02
Changed in keystone:
importance: Undecided → Low

Reviewed: https://review.openstack.org/27980
Committed: http://github.com/openstack/keystone/commit/c5037dd6b82909efaaa8720e8cfa8bdb8b4a0edd
Submitter: Jenkins
Branch: stable/grizzly

commit c5037dd6b82909efaaa8720e8cfa8bdb8b4a0edd
Author: Xuhan Peng <email address hidden>
Date: Fri Apr 12 16:19:37 2013 +0800

    Mark LDAP password and admin_token secret

    Add secret=True to LDAP password and admin_token
    of keystone configuration.

    Fix bug #1172195

    Change-Id: I8ef7f705e3f6b374ff427c20eb761892d5146a75
    (cherry picked from commit d43e2a51a1ed7adbed3c5ddf001d46bc4a824ae8)

tags: removed: grizzly-backport-potential
Thierry Carrez (ttx) on 2013-05-29
Changed in keystone:
milestone: none → havana-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers