OpenStack Compute (nova)

novncproxy log contains token info

Bug #1841185 reported by Balazs Gibizer on 2019-08-23

This bug report is a duplicate of: Bug #1492140: [OSSA-2020-001] Nova can leak consoleauth token into log files (CVE-2015-9543). Edit Remove

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	New	Undecided	Unassigned

Bug Description

Aug 23 13:07:57 ubuntu nova-novncproxy[665]: DEBUG nova.objects.console_auth_token [None req-708425cd-0340-4d2f-a245-b19e8a381d6e None None] Validated token - console connection is ConsoleAuthToken(access_url_base='http://100.109.0.4:6080/vnc_lite.html',console_type='novnc',created_at=2019-08-23T13:07:03Z,host='127.0.0.1',id=1,instance_uuid=143433d6-693b-4c80-856f-ce57278a13eb,internal_access_path=None,port=5900,token='***',updated_at=None) {{(pid=8414) validate /opt/stack/nova/nova/objects/console_auth_token.py:164}}
Aug 23 13:07:57 ubuntu nova-novncproxy[665]: DEBUG oslo_concurrency.lockutils [None req-708425cd-0340-4d2f-a245-b19e8a381d6e None None] Acquired lock "compute-rpcapi-router" {{(pid=8414) lock /usr/local/lib/python3.6/dist-packages/oslo_concurrency/lockutils.py:265}}
Aug 23 13:07:57 ubuntu nova-novncproxy[665]: DEBUG oslo_concurrency.lockutils [None req-708425cd-0340-4d2f-a245-b19e8a381d6e None None] Releasing lock "compute-rpcapi-router" {{(pid=8414) lock /usr/local/lib/python3.6/dist-packages/oslo_concurrency/lockutils.py:281}}
Aug 23 13:07:57 ubuntu nova-novncproxy[665]: INFO nova.console.websocketproxy [None req-708425cd-0340-4d2f-a245-b19e8a381d6e None None] 8: connect info: {'token': ('534104fe-505e-48c7-afe8-64dc26043a7e',), 'instance_uuid': '143433d6-693b-4c80-856f-ce57278a13eb', 'console_type': 'novnc', 'host': '127.0.0.1', 'port': 5900, 'internal_access_path': None, 'access_url': 'http://100.109.0.4:6080/vnc_lite.html?path=%3Ftoken%3D534104fe-505e-48c7-afe8-64dc26043a7e'}

The first log in the above snippet hides the token with '***' but the last log line still contains the token. The token feels like sensitive information so it should not be logged.

Seen in Devstack with Nova hash 83b415041ba9ccd5b92667bfc95b6b9b003fa283

Tags:

Balazs Gibizer (balazs-gibizer) on 2019-08-23

tags:	added: security
tags:	added: nova-novncproxy

Revision history for this message

Matt Riedemann (mriedem) wrote on 2019-08-23:

If this is marked private + security I'm not sure a public patch should have been posted for it already:

https://review.opendev.org/#/c/678234/

Given it's related to https://bugs.launchpad.net/nova/+bug/1197459 which is public and marked as won't fix for the OSSA I'm not sure how this is different.

Also, I'm pretty sure this is a duplicate of https://bugs.launchpad.net/nova/+bug/1492140 which has had a fix up for a long time: https://review.opendev.org/#/c/220622/

So maybe just take that over instead?

Revision history for this message

Balazs Gibizer (balazs-gibizer) wrote on 2019-08-23:

@Matt: Thanks for the info. I will take over https://review.opendev.org/#/c/220622/ and mark the this bug as duplicate.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2019-08-23:

I've also switched this bug to public since it's a duplicate of an already public bug.

information type:	Private Security → Public
information type:	Public → Public Security

Revision history for this message

Jeremy Stanley (fungi) wrote on 2019-08-23:

Sorry, I guess it's actually a duplicate of a public security bug, not just a normal public bug, so adjusted accordingly.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1492140 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.