novncproxy log contains token info

Bug #1841185 reported by Balazs Gibizer on 2019-08-23
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Undecided
Unassigned

Bug Description

Aug 23 13:07:57 ubuntu nova-novncproxy[665]: DEBUG nova.objects.console_auth_token [None req-708425cd-0340-4d2f-a245-b19e8a381d6e None None] Validated token - console connection is ConsoleAuthToken(access_url_base='http://100.109.0.4:6080/vnc_lite.html',console_type='novnc',created_at=2019-08-23T13:07:03Z,host='127.0.0.1',id=1,instance_uuid=143433d6-693b-4c80-856f-ce57278a13eb,internal_access_path=None,port=5900,token='***',updated_at=None) {{(pid=8414) validate /opt/stack/nova/nova/objects/console_auth_token.py:164}}
Aug 23 13:07:57 ubuntu nova-novncproxy[665]: DEBUG oslo_concurrency.lockutils [None req-708425cd-0340-4d2f-a245-b19e8a381d6e None None] Acquired lock "compute-rpcapi-router" {{(pid=8414) lock /usr/local/lib/python3.6/dist-packages/oslo_concurrency/lockutils.py:265}}
Aug 23 13:07:57 ubuntu nova-novncproxy[665]: DEBUG oslo_concurrency.lockutils [None req-708425cd-0340-4d2f-a245-b19e8a381d6e None None] Releasing lock "compute-rpcapi-router" {{(pid=8414) lock /usr/local/lib/python3.6/dist-packages/oslo_concurrency/lockutils.py:281}}
Aug 23 13:07:57 ubuntu nova-novncproxy[665]: INFO nova.console.websocketproxy [None req-708425cd-0340-4d2f-a245-b19e8a381d6e None None] 8: connect info: {'token': ('534104fe-505e-48c7-afe8-64dc26043a7e',), 'instance_uuid': '143433d6-693b-4c80-856f-ce57278a13eb', 'console_type': 'novnc', 'host': '127.0.0.1', 'port': 5900, 'internal_access_path': None, 'access_url': 'http://100.109.0.4:6080/vnc_lite.html?path=%3Ftoken%3D534104fe-505e-48c7-afe8-64dc26043a7e'}

The first log in the above snippet hides the token with '***' but the last log line still contains the token. The token feels like sensitive information so it should not be logged.

Seen in Devstack with Nova hash 83b415041ba9ccd5b92667bfc95b6b9b003fa283

tags: added: security
tags: added: nova-novncproxy
Matt Riedemann (mriedem) wrote :

If this is marked private + security I'm not sure a public patch should have been posted for it already:

https://review.opendev.org/#/c/678234/

Given it's related to https://bugs.launchpad.net/nova/+bug/1197459 which is public and marked as won't fix for the OSSA I'm not sure how this is different.

Also, I'm pretty sure this is a duplicate of https://bugs.launchpad.net/nova/+bug/1492140 which has had a fix up for a long time: https://review.opendev.org/#/c/220622/

So maybe just take that over instead?

Balazs Gibizer (balazs-gibizer) wrote :

@Matt: Thanks for the info. I will take over https://review.opendev.org/#/c/220622/ and mark the this bug as duplicate.

Jeremy Stanley (fungi) wrote :

I've also switched this bug to public since it's a duplicate of an already public bug.

information type: Private Security → Public
information type: Public → Public Security
Jeremy Stanley (fungi) wrote :

Sorry, I guess it's actually a duplicate of a public security bug, not just a normal public bug, so adjusted accordingly.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers