OpenStack Compute (Nova)

Admin password in clear text in nova-compute log file

Reported by Jay Pipes on 2012-01-11
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Thierry Carrez
Diablo
Medium
Russell Bryant

Bug Description

When launching instances, the admin password is logged in clear text in the nov-compute log file:

2012-01-11 15:39:16,176 DEBUG nova.rpc [-] received {u'_context_roles': [u'Admin', u'Admin', u'KeystoneAdmin', u'KeystoneServiceAdmin'], u'_context_request_id': u'40cbde8c-3e2b-44f4-a78d-e3aeefb8027f', u'_context_read_deleted': u'no', u'args': {u'instance_uuid': u'40cf5070-1d34-4be9-8af2-d8d810bd5b1d', u'requested_networks': None, u'admin_password': u'ckMnu9pgeZHC', u'injected_files': []}, u'_context_auth_token': u'servicetoken', u'_context_strategy': u'keystone', u'_context_is_admin': True, u'_context_project_id': u'1', u'_context_timestamp': u'2012-01-11T20:39:15.438060', u'_context_user_id': u'admin', u'method': u'run_instance', u'_context_remote_address': u'127.0.0.1'} from (pid=27771) __call__ /opt/stack/nova/nova/rpc/impl_kombu.py:629

Thierry Carrez (ttx) wrote :

@Jay: do you agree to open this bug to the public, as we did for all the other "debug messages leak information in logs" reports ?

Adding Vish and markmc
@markmc: do you want to wait for this to be fixed before releasing 2011.3.1 ?

Mark McLoughlin (markmc) wrote :

If it's made public like other similar bugs, I'm sure there's a good chance of getting the fix in time for 2011.3.1. I don't think it's worth delaying the release significantly, though

Vish Ishaya (vishvananda) wrote :

public is ok with me

Jay Pipes (jaypipes) wrote :

@ttx I made those other reports public on request from Mark so he could add them as targets for stable/diablo. Sorry for unsetting the security checkboxes...

Mark McLoughlin (markmc) wrote :

@jaypipes different set of bugs; the ones I asked you to open were ones which were already fixed on stable/diablo, so the vulnerabilities were already public knowledge. I only asked you to open them after talking to @ttx

AFAIK the bugs @ttx are talking about is where we said "because it's only a password in debug logs, this bug isn't high enough impact to keep private in advance of fixing it, so let's make it public". I can't find a good example now, but I definitely recall something lke

Jay Pipes (jaypipes) wrote :

Gotcha. Yeah, I'm fine making this public... was just playing it safe originally.

visibility: private → public
Thierry Carrez (ttx) on 2012-01-13
Changed in nova:
importance: Undecided → Medium
status: New → Triaged
Thierry Carrez (ttx) wrote :

Suggestion on fix: better to remove the RPC received tracing completely, or implement some smart filtering of the contents before display ? The latter sounds a bit expensive.

Thierry Carrez (ttx) on 2012-01-24
Changed in nova:
assignee: nobody → Thierry Carrez (ttx)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/3348
Committed: http://github.com/openstack/nova/commit/fa10e7ad5b3f6ab5de5b7b187da7a8bf05a263d5
Submitter: Jenkins
Branch: master

commit fa10e7ad5b3f6ab5de5b7b187da7a8bf05a263d5
Author: Thierry Carrez <email address hidden>
Date: Tue Jan 24 14:25:26 2012 +0100

    Do not output admin_password in debug logs

    Sanitize run_instance's admin_password argument from
    nova.rpc 'received' debug logging. Fixes bug 915025.

    Change-Id: I9004dee422a9e5411b8e440ab80030849d137dab

Changed in nova:
status: In Progress → Fix Committed
Changed in nova:
milestone: none → essex-4

Reviewed: https://review.openstack.org/3960
Committed: http://github.com/openstack/nova/commit/552a53d49d7fbf190f1478b110f6934ebb0620c4
Submitter: Jenkins
Branch: stable/diablo

commit 552a53d49d7fbf190f1478b110f6934ebb0620c4
Author: Russell Bryant <email address hidden>
Date: Thu Feb 9 09:39:15 2012 -0500

    Don't log sensitive data in compute log file.

    Sanitize run_instance's admin_password argument from
    nova.rpc 'received' debug logging. Fixes bug 915025.

    Sanitize new_pass from set_admin_password. Fixes bug 920687.

    Manually merged from:
      ccbc940211c348940ca9766ef60328302a080f9a
      fa10e7ad5b3f6ab5de5b7b187da7a8bf05a263d5

    Change-Id: I3af8263f88ef2e68d5d7f6d8c4824737fffcf461

tags: added: in-stable-diablo
Thierry Carrez (ttx) on 2012-02-29
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-4 → 2012.1
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers