| 2023-03-28 01:30:21 |
melanie witt |
bug |
|
|
added bug |
| 2023-03-28 01:30:44 |
melanie witt |
description |
Noticed this while working on something else, if the API is going to return a non 2xx HTTP success status code, a lot of request details are logged including the user's unsanitized auth token. In the past, operators considered this to be a security issue despite logging only at level DEBUG. For this reason I am opening a bug for review.
Example for GET /servers HTTP 404:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: INFO nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] HTTP exception thrown: Instance test could not be found.
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: DEBUG nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] Request method failure captured:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: request: GET /compute/v2.1/servers/test HTTP/1.1
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept: application/json
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept-Encoding: gzip, deflate
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Connection: keep-alive
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Content-Length: 0
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Host: 192.168.44.11
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Openstack-System-Scope: None
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: User-Agent: python-novaclient
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: X-Auth-Token: gAAAAABkIj7cGDJYKbnQalHot3qfNuAY1AMwMdKFP0kVQB6_8HRCSizDQpxMfspjx2S7t8rMWPSwYwg0-Yox2QM9E3KPWVq72YPl-cr8XwlDIn-ev9WjpmkmCtlOqOs0M0rOSvQggxdNB0xLx
2-gYiWUyMAYW6A1vXcup7Rvs8-YFetPKr2vGnY
[...]
Full log trace:
https://paste.openstack.org/show/bx9CmbgOsDNrIn16PfUW |
Noticed this while working on something else, if the API is going to return a non 2xx HTTP success status code, a lot of request details are logged including the user's unsanitized auth token. In the past, operators considered this to be a security issue despite logging only at level DEBUG. For this reason, I am opening a bug for review.
Example for GET /servers HTTP 404:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: INFO nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] HTTP exception thrown: Instance test could not be found.
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: DEBUG nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] Request method failure captured:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: request: GET /compute/v2.1/servers/test HTTP/1.1
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept: application/json
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept-Encoding: gzip, deflate
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Connection: keep-alive
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Content-Length: 0
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Host: 192.168.44.11
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Openstack-System-Scope: None
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: User-Agent: python-novaclient
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: X-Auth-Token: gAAAAABkIj7cGDJYKbnQalHot3qfNuAY1AMwMdKFP0kVQB6_8HRCSizDQpxMfspjx2S7t8rMWPSwYwg0-Yox2QM9E3KPWVq72YPl-cr8XwlDIn-ev9WjpmkmCtlOqOs0M0rOSvQggxdNB0xLx
2-gYiWUyMAYW6A1vXcup7Rvs8-YFetPKr2vGnY
[...]
Full log trace:
https://paste.openstack.org/show/bx9CmbgOsDNrIn16PfUW |
|
| 2023-03-28 01:32:04 |
melanie witt |
description |
Noticed this while working on something else, if the API is going to return a non 2xx HTTP success status code, a lot of request details are logged including the user's unsanitized auth token. In the past, operators considered this to be a security issue despite logging only at level DEBUG. For this reason, I am opening a bug for review.
Example for GET /servers HTTP 404:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: INFO nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] HTTP exception thrown: Instance test could not be found.
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: DEBUG nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] Request method failure captured:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: request: GET /compute/v2.1/servers/test HTTP/1.1
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept: application/json
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept-Encoding: gzip, deflate
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Connection: keep-alive
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Content-Length: 0
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Host: 192.168.44.11
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Openstack-System-Scope: None
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: User-Agent: python-novaclient
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: X-Auth-Token: gAAAAABkIj7cGDJYKbnQalHot3qfNuAY1AMwMdKFP0kVQB6_8HRCSizDQpxMfspjx2S7t8rMWPSwYwg0-Yox2QM9E3KPWVq72YPl-cr8XwlDIn-ev9WjpmkmCtlOqOs0M0rOSvQggxdNB0xLx
2-gYiWUyMAYW6A1vXcup7Rvs8-YFetPKr2vGnY
[...]
Full log trace:
https://paste.openstack.org/show/bx9CmbgOsDNrIn16PfUW |
Noticed this while working on something else, if the API is going to return a non 2xx HTTP success status code, a lot of request details are logged including the user's unsanitized auth token. In the past, operators considered this to be a security issue despite logging only at level DEBUG. For this reason I am opening a bug for review.
This particular logging code was added in the Zed release:
https://review.opendev.org/c/openstack/nova/+/806683
Example log for GET /servers HTTP 404:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: INFO nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] HTTP exception thrown: Instance test could not be found.
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: DEBUG nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] Request method failure captured:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: request: GET /compute/v2.1/servers/test HTTP/1.1
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept: application/json
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept-Encoding: gzip, deflate
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Connection: keep-alive
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Content-Length: 0
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Host: 192.168.44.11
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Openstack-System-Scope: None
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: User-Agent: python-novaclient
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: X-Auth-Token: gAAAAABkIj7cGDJYKbnQalHot3qfNuAY1AMwMdKFP0kVQB6_8HRCSizDQpxMfspjx2S7t8rMWPSwYwg0-Yox2QM9E3KPWVq72YPl-cr8XwlDIn-ev9WjpmkmCtlOqOs0M0rOSvQggxdNB0xLx
2-gYiWUyMAYW6A1vXcup7Rvs8-YFetPKr2vGnY
[...]
Full log trace:
https://paste.openstack.org/show/bx9CmbgOsDNrIn16PfUW |
|
| 2023-03-28 01:35:59 |
melanie witt |
description |
Noticed this while working on something else, if the API is going to return a non 2xx HTTP success status code, a lot of request details are logged including the user's unsanitized auth token. In the past, operators considered this to be a security issue despite logging only at level DEBUG. For this reason I am opening a bug for review.
This particular logging code was added in the Zed release:
https://review.opendev.org/c/openstack/nova/+/806683
Example log for GET /servers HTTP 404:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: INFO nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] HTTP exception thrown: Instance test could not be found.
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: DEBUG nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] Request method failure captured:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: request: GET /compute/v2.1/servers/test HTTP/1.1
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept: application/json
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept-Encoding: gzip, deflate
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Connection: keep-alive
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Content-Length: 0
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Host: 192.168.44.11
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Openstack-System-Scope: None
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: User-Agent: python-novaclient
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: X-Auth-Token: gAAAAABkIj7cGDJYKbnQalHot3qfNuAY1AMwMdKFP0kVQB6_8HRCSizDQpxMfspjx2S7t8rMWPSwYwg0-Yox2QM9E3KPWVq72YPl-cr8XwlDIn-ev9WjpmkmCtlOqOs0M0rOSvQggxdNB0xLx
2-gYiWUyMAYW6A1vXcup7Rvs8-YFetPKr2vGnY
[...]
Full log trace:
https://paste.openstack.org/show/bx9CmbgOsDNrIn16PfUW |
Noticed this while working on something else, if the API is going to return a non 2xx HTTP success status code, a lot of request details are logged including the user's unsanitized auth token. In the past, operators considered this to be a security issue despite logging only at level DEBUG. For this reason I am opening a bug for review.
This particular logging code was added in the Zed release:
https://review.opendev.org/c/openstack/nova/+/806683
These are logged a lot when using OSC + server names because OSC always tries to lookup a name as a UUID (which will fail with 404) before it falls back on trying it as an ID. So commands such as 'openstack server show MyVM' will produce debug logs like the following.
Example log for GET /servers HTTP 404:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: INFO nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] HTTP exception thrown: Instance test could not be found.
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: DEBUG nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] Request method failure captured:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: request: GET /compute/v2.1/servers/test HTTP/1.1
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept: application/json
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept-Encoding: gzip, deflate
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Connection: keep-alive
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Content-Length: 0
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Host: 192.168.44.11
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Openstack-System-Scope: None
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: User-Agent: python-novaclient
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: X-Auth-Token: gAAAAABkIj7cGDJYKbnQalHot3qfNuAY1AMwMdKFP0kVQB6_8HRCSizDQpxMfspjx2S7t8rMWPSwYwg0-Yox2QM9E3KPWVq72YPl-cr8XwlDIn-ev9WjpmkmCtlOqOs0M0rOSvQggxdNB0xLx
2-gYiWUyMAYW6A1vXcup7Rvs8-YFetPKr2vGnY
[...]
Full log trace:
https://paste.openstack.org/show/bx9CmbgOsDNrIn16PfUW |
|
| 2023-03-28 01:36:22 |
melanie witt |
description |
Noticed this while working on something else, if the API is going to return a non 2xx HTTP success status code, a lot of request details are logged including the user's unsanitized auth token. In the past, operators considered this to be a security issue despite logging only at level DEBUG. For this reason I am opening a bug for review.
This particular logging code was added in the Zed release:
https://review.opendev.org/c/openstack/nova/+/806683
These are logged a lot when using OSC + server names because OSC always tries to lookup a name as a UUID (which will fail with 404) before it falls back on trying it as an ID. So commands such as 'openstack server show MyVM' will produce debug logs like the following.
Example log for GET /servers HTTP 404:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: INFO nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] HTTP exception thrown: Instance test could not be found.
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: DEBUG nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] Request method failure captured:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: request: GET /compute/v2.1/servers/test HTTP/1.1
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept: application/json
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept-Encoding: gzip, deflate
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Connection: keep-alive
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Content-Length: 0
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Host: 192.168.44.11
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Openstack-System-Scope: None
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: User-Agent: python-novaclient
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: X-Auth-Token: gAAAAABkIj7cGDJYKbnQalHot3qfNuAY1AMwMdKFP0kVQB6_8HRCSizDQpxMfspjx2S7t8rMWPSwYwg0-Yox2QM9E3KPWVq72YPl-cr8XwlDIn-ev9WjpmkmCtlOqOs0M0rOSvQggxdNB0xLx
2-gYiWUyMAYW6A1vXcup7Rvs8-YFetPKr2vGnY
[...]
Full log trace:
https://paste.openstack.org/show/bx9CmbgOsDNrIn16PfUW |
Noticed this while working on something else, if the API is going to return a non 2xx HTTP success status code, a lot of request details are logged including the user's unsanitized auth token. In the past, operators considered this to be a security issue despite logging only at level DEBUG. For this reason I am opening a bug for review.
This particular logging code was added in the Zed release:
https://review.opendev.org/c/openstack/nova/+/806683
These are logged a lot when using OSC + server names because OSC always tries to lookup a name as a UUID (which will fail with 404) before it falls back on trying it as an ID. So commands such as 'openstack server show MyServer' will produce debug logs like the following.
Example log for GET /servers HTTP 404:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: INFO nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] HTTP exception thrown: Instance test could not be found.
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: DEBUG nova.api.openstack.wsgi [None req-f5dbcb16-318b-4b19-96a6-62492ac94677 demo demo] Request method failure captured:
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: request: GET /compute/v2.1/servers/test HTTP/1.1
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept: application/json
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Accept-Encoding: gzip, deflate
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Connection: keep-alive
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Content-Length: 0
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Host: 192.168.44.11
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: Openstack-System-Scope: None
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: User-Agent: python-novaclient
Mar 28 01:11:57 ubuntu-focal devstack@n-api.service[3890335]: X-Auth-Token: gAAAAABkIj7cGDJYKbnQalHot3qfNuAY1AMwMdKFP0kVQB6_8HRCSizDQpxMfspjx2S7t8rMWPSwYwg0-Yox2QM9E3KPWVq72YPl-cr8XwlDIn-ev9WjpmkmCtlOqOs0M0rOSvQggxdNB0xLx
2-gYiWUyMAYW6A1vXcup7Rvs8-YFetPKr2vGnY
[...]
Full log trace:
https://paste.openstack.org/show/bx9CmbgOsDNrIn16PfUW |
|
| 2023-04-12 09:23:01 |
Balazs Gibizer |
nova: status |
New |
Triaged |
|
| 2023-04-12 09:23:06 |
Balazs Gibizer |
nova: importance |
Undecided |
Critical |
|
| 2023-04-12 09:25:00 |
Balazs Gibizer |
information type |
Public |
Private Security |
|
| 2023-04-12 09:35:27 |
Sylvain Bauza |
bug task added |
|
ossa |
|
| 2023-04-12 09:37:40 |
Sylvain Bauza |
bug |
|
|
added subscriber Nova Core security contacts |
| 2023-05-02 15:52:30 |
Sylvain Bauza |
information type |
Private Security |
Public Security |
|
| 2023-05-02 15:54:07 |
Sylvain Bauza |
nova: assignee |
|
Sylvain Bauza (sylvain-bauza) |
|
| 2023-05-02 16:27:06 |
Jeremy Stanley |
ossa: status |
New |
Won't Fix |
|
| 2023-05-02 16:27:12 |
Jeremy Stanley |
information type |
Public Security |
Public |
|
| 2023-05-09 23:54:09 |
OpenStack Infra |
nova: status |
Triaged |
Fix Released |
|
| 2023-05-16 11:09:42 |
OpenStack Infra |
tags |
api security |
api in-stable-zed security |
|
