Cookie hash value displayed in rabbitmq logs

Bug #1761538 reported by Archana Prabhakar on 2018-04-05
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
Unassigned
OpenStack Security Notes
Undecided
Unassigned

Bug Description

ENabled rabbitmq debug and restarted the process. Found sensitive data displayed in logs.

rabbitmq uses Erlang cookie concept where a cluster of nodes communicates to each other. Any node that posses this secret cookie can communicate with other nodes in the cluster.

=INFO REPORT==== 31-Mar-2018::03:28:46 ===
stopped SSL Listener on [::]:5671

=INFO REPORT==== 31-Mar-2018::03:28:46 ===
Stopped RabbitMQ application

=INFO REPORT==== 31-Mar-2018::03:28:46 ===
Halting Erlang VM

=INFO REPORT==== 31-Mar-2018::03:29:54 ===
Starting RabbitMQ 3.6.6 on Erlang 19.1.1
Copyright (C) 2007-2016 Pivotal Software, Inc.
Licensed under the MPL. See http://www.rabbitmq.com/

=INFO REPORT==== 31-Mar-2018::03:29:54 ===
node : rabbit@ip9-114-192-221
home dir : /var/lib/rabbitmq
config file(s) : /etc/rabbitmq/rabbitmq.config
cookie hash : RVLZk6qSkQ471Dqtfk14wA==
log : /<email address hidden>
sasl log : /<email address hidden>
database dir : /var/lib/rabbitmq/mnesia/rabbit@ip9-114-192-221

=INFO REPORT==== 31-Mar-2018::03:29:57 ===
Memory limit set to 3876MB of 9690MB total.

Divya K Konoor (dikonoor) wrote :

Archana, I believe the right place to open this bug is at https://github.com/rabbitmq/rabbitmq-server/issues/new as the logs mentioned here has nothing to do with Keystone.

tags: added: security
Divya K Konoor (dikonoor) wrote :

But logging this Erlang Cache could have a security impact on OpenStack

Jeremy Stanley (fungi) wrote :

If this behavior is configurable or other mitigation can be devised, or if it gets patched upstream in rabbitmq, then a security note (not advisory) may be appropriate to let operators know about the risk and what they can do.

Gage Hugo (gagehugo) wrote :

This likely is more related to RabbitMQ (and as fungi pointed out, should probably be noted in OSSN) if it has a security impact on OpenStack as a whole, rather than specifically keystone.

Changed in keystone:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers