[OSSA 2015-008] backend_argument containing a password leaked in logs (CVE-2015-3646)

Bug #1443598 reported by Eric Brown on 2015-04-13
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Eric Brown
Icehouse
High
Tristan Cacqueray
Juno
High
Eric Brown
Kilo
High
Doug Hellmann
OpenStack Security Advisory
Medium
Tristan Cacqueray

Bug Description

The keystone.conf has an option backend_argument to set various options for the caching backend. As documented, some of the potential values can contain a password.

Snippet from http://docs.openstack.org/developer/keystone/developing.html#dogpile-cache-based-mongodb-nosql-backend

[cache]
# Global cache functionality toggle.
enabled = True

# Referring to specific cache backend
backend = keystone.cache.mongo

# Backend specific configuration arguments
backend_argument = db_hosts:localhost:27017
backend_argument = db_name:ks_cache
backend_argument = cache_collection:cache
backend_argument = username:test_user
backend_argument = password:test_password

As a result, passwords can be leaked to the keystone logs since the config options is not marked secret.

Changed in keystone:
status: New → In Progress
Dolph Mathews (dolph) wrote :
Changed in keystone:
importance: Undecided → High
tags: added: juno-backport-potential
tags: added: icehouse-backport-potential kilo-backport-potential
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status: New → Incomplete

In case we do issue an advisory, assuming only MongoDB backend is affected, here is the impact description draft:

Title: Keystone cache backend password leak in log
Reporter: Eric Brown (VMware)
Products: Keystone
Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3

Description:
Eric Brown from VMware reported a vulnerability in Keystone. An attacker with read access to Keystone logs may obtain the authentication information used to access the cache backend. Only Keystone setup using a password protected MongoDB as a cache backend are impacted.

Dolph Mathews (dolph) wrote :

Tristan: Are you missing a "2014.1" at the beginning of the "Affects" field?

More importantly, there are other backends provided my dogpile that support authentication through "arguments" (which keystone exposes as "backend_arguments"):

  http://dogpilecache.readthedocs.org/en/latest/api.html#dogpile.cache.backends.memcached.BMemcachedBackend

In addition, custom cache backend implementations could also utilize backend_arguments. All of those would be affected as well.

Jeremy Stanley (fungi) wrote :

Dolph: So this bug only originated in Icehouse? You're saying it should be "2014.1 versions through 2014.1.4..." because you don't believe it existed prior to the first 2014.1 release?

Reviewed: https://review.openstack.org/173034
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f9db1a65bd4d83d12c572ba4d5807845996ef410
Submitter: Jenkins
Branch: master

commit f9db1a65bd4d83d12c572ba4d5807845996ef410
Author: Eric Brown <email address hidden>
Date: Mon Apr 13 11:37:53 2015 -0700

    backend_argument should be marked secret

    Since the backend_argument can potentially contain a password,
    it should be marked secret to avoid leakage into the logs.

    Closes-Bug: #1443598

    Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d

Changed in keystone:
status: In Progress → Fix Committed
tags: added: kilo-rc-potential

Change abandoned by Doug Hellmann (<email address hidden>) on branch: proposed/kilo
Review: https://review.openstack.org/173115
Reason: replaced by https://review.openstack.org/174075 in stable/kilo

Thierry Carrez (ttx) on 2015-04-20
Changed in ossa:
importance: Undecided → Medium
status: Incomplete → Confirmed
status: Confirmed → Triaged

Thanks Dolph for the feedback, here is a revised impact description draft:

Title: Keystone cache backend password leak in log
Reporter: Eric Brown (VMware)
Products: Keystone
Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3

Description:
Eric Brown from VMware reported a vulnerability in Keystone. An attacker with read access to Keystone logs may obtain sensitive data for certain backends, like a password for MongoDB. All Keystone setup are impacted.

Reviewed: https://review.openstack.org/174075
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=86df39c01e96ad3b15e33eb6fc1bf726a0a704c5
Submitter: Jenkins
Branch: stable/kilo

commit 86df39c01e96ad3b15e33eb6fc1bf726a0a704c5
Author: Eric Brown <email address hidden>
Date: Mon Apr 13 11:37:53 2015 -0700

    backend_argument should be marked secret

    Since the backend_argument can potentially contain a password,
    it should be marked secret to avoid leakage into the logs.

    Closes-Bug: #1443598

    Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
    (cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

Reviewed: https://review.openstack.org/173116
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=695153a523faa9310e2e20d0333c33a47334208a
Submitter: Jenkins
Branch: stable/juno

commit 695153a523faa9310e2e20d0333c33a47334208a
Author: Eric Brown <email address hidden>
Date: Mon Apr 13 11:37:53 2015 -0700

    backend_argument should be marked secret

    Since the backend_argument can potentially contain a password,
    it should be marked secret to avoid leakage into the logs.

    Closes-Bug: #1443598

    Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
    (cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

Thierry Carrez (ttx) on 2015-04-21
tags: removed: kilo-backport-potential kilo-rc-potential

Alternate proposal:

Title: Potential Keystone cache backend password leak in log
Reporter: Eric Brown (VMware)
Products: Keystone
Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3

Description:
Eric Brown from VMware reported a vulnerability in Keystone. The backend_argument configuration option content is being logged, and it may contain sensitive information for specific backends (like a password for MongoDB). An attacker with read access to Keystone logs may therefore obtain sensitive data about certain backends, . All Keystone setups are potentially impacted.

NB: Kilo is not affected.

impact description in comment #16 looks good to me, I'm requesting a cve with it now

summary: - backend_argument containing a password leaked in logs
+ backend_argument containing a password leaked in logs (CVE-2015-3646)
Changed in ossa:
status: Triaged → In Progress
summary: - backend_argument containing a password leaked in logs (CVE-2015-3646)
+ [OSSA 2015-008] backend_argument containing a password leaked in logs
+ (CVE-2015-3646)
Changed in ossa:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
Changed in ossa:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/175519
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a1548eb670d74cac7ff9bb8c4b4228059e6b9e4a
Submitter: Jenkins
Branch: stable/icehouse

commit a1548eb670d74cac7ff9bb8c4b4228059e6b9e4a
Author: Eric Brown <email address hidden>
Date: Mon Apr 13 11:37:53 2015 -0700

    backend_argument should be marked secret

    Since the backend_argument can potentially contain a password,
    it should be marked secret to avoid leakage into the logs.

    Closes-Bug: #1443598

    Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
    (cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

Changed in ossa:
status: Fix Committed → Fix Released
Download full text (4.7 KiB)

Reviewed: https://review.openstack.org/179288
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9bc6043eb06199b8d4dbf6698e129d984a59cc11
Submitter: Jenkins
Branch: master

commit 65a50eebb8d0a53a2c4c226eb9a564c4d535ac68
Author: Brant Knudson <email address hidden>
Date: Wed Apr 22 11:33:00 2015 -0500

    Sync oslo-incubator Ie51669bd278288b768311ddf56ad31a2f28cc7ab

    This syncs to oslo-incubator to commit 64b5819 and also includes
    51280db.

    Change-Id: I7b43a67a0b67fe0ff5ac3d87708ecc4ab52102f8
    Depends-On: Ie51669bd278288b768311ddf56ad31a2f28cc7ab
    Closes-Bug: #1446583
    (cherry picked from commit 797da5f05444e7cfbf55df52867ade6107834f00)

commit 579a065c0dcce554a5dca86164eb8f1d6fb43c4d
Author: OpenStack Proposal Bot <email address hidden>
Date: Mon Apr 20 17:55:55 2015 +0000

    Updated from global requirements

    Change-Id: I72af7a36f2c3ba206be06fa35323386801e6ff81

commit 906485152a8ec886cf4a45cbe1037184ce39f1a1
Author: Andreas Jaeger <email address hidden>
Date: Mon Apr 20 11:11:25 2015 +0200

    Release Import of Translations from Transifex

    Manual import of Translations from Transifex. This change also removes
    all po files that are less than 66 per cent translated since such
    partially translated files will not help users.

    This change needs to be done manually since the automatic import does
    not handle the proposed branches and we need to sync with latest
    translations.

    Change-Id: Iaf4bdae303b06c1af4023fe2daa3a6b03c195ee9

commit 18ca7fabece4837ad56e435bc9d5f0b6278fa4be
Author: Alexander Makarov <email address hidden>
Date: Mon Apr 6 15:49:41 2015 +0300

    Make memcache client reusable across threads

    memcache.Client is inherited from threading._local so instances are only
    accessible from current thread or eventlet. Present workaround broke
    inheritance chain so super() call is unusable.

    This patch makes artificial client class mimic inheritance from
    threading._local while using generic object methods allowing reusability.

    Change-Id: Ic5d5709695877afb995fd816bb0e4ce711b99b60
    Closes-Bug: #1440493
    (cherry picked from commit 33a95575fc3778bf8ef054f7b9d24fcb7c75100b)

commit cedce339a08d475617c7f57c148e192dc3709a34
Author: Thierry Carrez <email address hidden>
Date: Thu Apr 16 22:19:42 2015 +0200

    Set default branch to stable/kilo

    Open stable/kilo branch by setting defaultbranch for git-review.

    Change-Id: If5b35b0fc5a85ba8dda16dc6b365537ed0d839bc

commit 86df39c01e96ad3b15e33eb6fc1bf726a0a704c5
Author: Eric Brown <email address hidden>
Date: Mon Apr 13 11:37:53 2015 -0700

    backend_argument should be marked secret

    Since the backend_argument can potentially contain a password,
    it should be marked secret to avoid leakage into the logs.

    Closes-Bug: #1443598

    Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
    (cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

commit b679e7d6be18d33ebdfe133161a3daf2f305d954
Author: Lance Bragstad <email address hidden>
Date: Tue Apr 7 18:47:34 2015 +0000

    Update man p...

Read more...

Changed in keystone:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-10-15
Changed in keystone:
milestone: liberty-1 → 8.0.0
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers