Admin password in clear text in nova-compute log file

Bug #915025 reported by Jay Pipes on 2012-01-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Thierry Carrez
Russell Bryant

Bug Description

When launching instances, the admin password is logged in clear text in the nov-compute log file:

2012-01-11 15:39:16,176 DEBUG nova.rpc [-] received {u'_context_roles': [u'Admin', u'Admin', u'KeystoneAdmin', u'KeystoneServiceAdmin'], u'_context_request_id': u'40cbde8c-3e2b-44f4-a78d-e3aeefb8027f', u'_context_read_deleted': u'no', u'args': {u'instance_uuid': u'40cf5070-1d34-4be9-8af2-d8d810bd5b1d', u'requested_networks': None, u'admin_password': u'ckMnu9pgeZHC', u'injected_files': []}, u'_context_auth_token': u'servicetoken', u'_context_strategy': u'keystone', u'_context_is_admin': True, u'_context_project_id': u'1', u'_context_timestamp': u'2012-01-11T20:39:15.438060', u'_context_user_id': u'admin', u'method': u'run_instance', u'_context_remote_address': u''} from (pid=27771) __call__ /opt/stack/nova/nova/rpc/

Thierry Carrez (ttx) wrote :

@Jay: do you agree to open this bug to the public, as we did for all the other "debug messages leak information in logs" reports ?

Adding Vish and markmc
@markmc: do you want to wait for this to be fixed before releasing 2011.3.1 ?

Mark McLoughlin (markmc) wrote :

If it's made public like other similar bugs, I'm sure there's a good chance of getting the fix in time for 2011.3.1. I don't think it's worth delaying the release significantly, though

Vish Ishaya (vishvananda) wrote :

public is ok with me

Jay Pipes (jaypipes) wrote :

@ttx I made those other reports public on request from Mark so he could add them as targets for stable/diablo. Sorry for unsetting the security checkboxes...

Mark McLoughlin (markmc) wrote :

@jaypipes different set of bugs; the ones I asked you to open were ones which were already fixed on stable/diablo, so the vulnerabilities were already public knowledge. I only asked you to open them after talking to @ttx

AFAIK the bugs @ttx are talking about is where we said "because it's only a password in debug logs, this bug isn't high enough impact to keep private in advance of fixing it, so let's make it public". I can't find a good example now, but I definitely recall something lke

Jay Pipes (jaypipes) wrote :

Gotcha. Yeah, I'm fine making this public... was just playing it safe originally.

visibility: private → public
Thierry Carrez (ttx) on 2012-01-13
Changed in nova:
importance: Undecided → Medium
status: New → Triaged
Thierry Carrez (ttx) wrote :

Suggestion on fix: better to remove the RPC received tracing completely, or implement some smart filtering of the contents before display ? The latter sounds a bit expensive.

Thierry Carrez (ttx) on 2012-01-24
Changed in nova:
assignee: nobody → Thierry Carrez (ttx)
status: Triaged → In Progress

Submitter: Jenkins
Branch: master

commit fa10e7ad5b3f6ab5de5b7b187da7a8bf05a263d5
Author: Thierry Carrez <email address hidden>
Date: Tue Jan 24 14:25:26 2012 +0100

    Do not output admin_password in debug logs

    Sanitize run_instance's admin_password argument from
    nova.rpc 'received' debug logging. Fixes bug 915025.

    Change-Id: I9004dee422a9e5411b8e440ab80030849d137dab

Changed in nova:
status: In Progress → Fix Committed
Changed in nova:
milestone: none → essex-4

Submitter: Jenkins
Branch: stable/diablo

commit 552a53d49d7fbf190f1478b110f6934ebb0620c4
Author: Russell Bryant <email address hidden>
Date: Thu Feb 9 09:39:15 2012 -0500

    Don't log sensitive data in compute log file.

    Sanitize run_instance's admin_password argument from
    nova.rpc 'received' debug logging. Fixes bug 915025.

    Sanitize new_pass from set_admin_password. Fixes bug 920687.

    Manually merged from:

    Change-Id: I3af8263f88ef2e68d5d7f6d8c4824737fffcf461

tags: added: in-stable-diablo
Thierry Carrez (ttx) on 2012-02-29
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-4 → 2012.1
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers