[OSSA 2015-008] backend_argument containing a password leaked in logs (CVE-2015-3646)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Eric Brown | ||
Icehouse |
Fix Released
|
High
|
Tristan Cacqueray | ||
Juno |
Fix Released
|
High
|
Eric Brown | ||
Kilo |
Fix Released
|
High
|
Doug Hellmann | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Tristan Cacqueray |
Bug Description
The keystone.conf has an option backend_argument to set various options for the caching backend. As documented, some of the potential values can contain a password.
Snippet from http://
[cache]
# Global cache functionality toggle.
enabled = True
# Referring to specific cache backend
backend = keystone.
# Backend specific configuration arguments
backend_argument = db_hosts:
backend_argument = db_name:ks_cache
backend_argument = cache_collectio
backend_argument = username:test_user
backend_argument = password:
As a result, passwords can be leaked to the keystone logs since the config options is not marked secret.
Changed in keystone: | |
status: | New → In Progress |
tags: | added: kilo-rc-potential |
Changed in ossa: | |
importance: | Undecided → Medium |
status: | Incomplete → Confirmed |
status: | Confirmed → Triaged |
tags: | removed: kilo-backport-potential kilo-rc-potential |
summary: |
- backend_argument containing a password leaked in logs + backend_argument containing a password leaked in logs (CVE-2015-3646) |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
- backend_argument containing a password leaked in logs (CVE-2015-3646) + [OSSA 2015-008] backend_argument containing a password leaked in logs + (CVE-2015-3646) |
Changed in ossa: | |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | none → liberty-1 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | liberty-1 → 8.0.0 |
https:/ /review. openstack. org/#/c/ 173034/