manila logs plaintext ssh passwords in debug mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Shared File Systems Service (Manila) |
Fix Released
|
High
|
Goutham Pacha Ravi |
Bug Description
I stumbled upon this code while making myself familiar with the manila code in utils.py:
https:/
you should never ever, even in debug mode, log any credentials.
I didn't check yet if/when this get's called with debug mode, so I don't know the severity of this.
For reference, this is CWE-532 (Insertion of Sensitive Information into Log File):
https:/
kind regards
Sven
Thanks, Sven, for subscribing me to this bug. I've taken the liberty of also subscribing the OpenStack vulnerability managers as well as the Manila security reviewers in hopes we can get some initial visibility into this. While reports of suspected security vulnerabilities for Manila aren't officially overseen by the OpenStack VMT ( https:/ /security. openstack. org/repos- overseen. html ), we're happy to assist with triage and providing guidance in such matters.
I agree that logging sensitive data counts as a security-related bug, even when it's limited to debug level logging. OpenStack has, however, not traditionally treated debug-level information disclosure as a severe enough vulnerability to warrant an embargo process in order to discuss and fix (class B3 in our report taxonomy https:/ /security. openstack. org/vmt- process. html#report- taxonomy ), nor severe enough to issue a security advisory. My recommendation to the Manila developers would be to switch this to a normal "Public" bug report and add the "security" bugtag in order to indicate it's a potential security hardening opportunity.