sensitive "adminPass" information is logged in OpenStack service logs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystoneauth |
New
|
Undecided
|
Unassigned |
Bug Description
If any OpenStack service calls nova "evacuate" or "rescue" API's the sensitive "adminPass" is logged in respective caller's service logs.
For example:
Masakari calls nova "evacuate" with nova api_version 2.9 [1][2] so the response body containing "adminPass" gets logged in masakari-engine logs through keystoneauth library [3] in _http_log_
nova "evacuate" API has been modified in api_version 2.14 [4] in which "adminPass" attribute is removed from response but previous versions will still log this sensitive information.
Nova "rescue" API returns "adminPass" with current nova api_version (2.46).
masakari-engine logs:
DEBUG novaclient.
RESP BODY: {"adminPass": "8NchJ63X6tJh"}
The "adminPass" needs to be masked in keystoneauth at below location [5] using oslo_utils mask_password [6] where it logs the response body.
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/
[6] https:/
information type: | Private Security → Private |
information type: | Private → Private Security |
Reports of suspected vulnerabilities for keystoneauth are not overseen by the OpenStack VMT, but I'm taking the initiative to subscribe keystone-coresec reviewers to this bug anyway since it seems like it may have gone unnoticed (the reporter reached out to the VMT by E-mail to give us a heads up about this particular report).
My recommendation is for keystone-coresec to treat this as a security hardening opportunity since it only seems to affecr debug logging (class B3 in the VMT's report taxonomy), switch the bug type from Private Security to Public, and add the "security" bug tag to it comes to the attention of interested subscribers in the community.