swap volume operation may leak credentials into debug logs
Bug #1685678 reported by
Matt Riedemann
This bug report is a duplicate of:
Bug #1761054: nova log expose password when swapvolume.
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
In Progress
|
High
|
Dane Fichter | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
The swap volume code in the compute service logs old and new volume connection_info dicts to debug here:
The new connection_info comes from Cinder:
That's a plain dict from the response which may contain credentials.
The old connection_info comes from the nova.objects.
https:/
The new connection_info could contain credentials though, so we should mask those when logging it, even at debug level.
description: | updated |
description: | updated |
information type: | Private Security → Public |
Changed in nova: | |
status: | Triaged → Won't Fix |
status: | Won't Fix → Triaged |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in nova: | |
assignee: | Matt Riedemann (mriedem) → Dane Fichter (dane-fichter) |
Changed in nova: | |
assignee: | Dane Fichter (dane-fichter) → Matt Riedemann (mriedem) |
Changed in nova: | |
assignee: | Matt Riedemann (mriedem) → Dane Fichter (dane-fichter) |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.