OpenStack Compute (nova)

Admin password in clear text in nova-compute log file

Bug #915025 reported by Jay Pipes on 2012-01-11

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Thierry Carrez	OpenStack Compute (nova) 2012.1 "essex"
	Diablo	Fix Released	Medium	Russell Bryant

Bug Description

When launching instances, the admin password is logged in clear text in the nov-compute log file:

2012-01-11 15:39:16,176 DEBUG nova.rpc [-] received {u'_context_roles': [u'Admin', u'Admin', u'KeystoneAdmin', u'KeystoneServiceAdmin'], u'_context_request_id': u'40cbde8c-3e2b-44f4-a78d-e3aeefb8027f', u'_context_read_deleted': u'no', u'args': {u'instance_uuid': u'40cf5070-1d34-4be9-8af2-d8d810bd5b1d', u'requested_networks': None, u'admin_password': u'ckMnu9pgeZHC', u'injected_files': []}, u'_context_auth_token': u'servicetoken', u'_context_strategy': u'keystone', u'_context_is_admin': True, u'_context_project_id': u'1', u'_context_timestamp': u'2012-01-11T20:39:15.438060', u'_context_user_id': u'admin', u'method': u'run_instance', u'_context_remote_address': u'127.0.0.1'} from (pid=27771) __call__ /opt/stack/nova/nova/rpc/impl_kombu.py:629

Tags:

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-01-12:

@Jay: do you agree to open this bug to the public, as we did for all the other "debug messages leak information in logs" reports ?

Adding Vish and markmc
@markmc: do you want to wait for this to be fixed before releasing 2011.3.1 ?

Revision history for this message

Mark McLoughlin (markmc) wrote on 2012-01-12:

If it's made public like other similar bugs, I'm sure there's a good chance of getting the fix in time for 2011.3.1. I don't think it's worth delaying the release significantly, though

Revision history for this message

Vish Ishaya (vishvananda) wrote on 2012-01-12:

public is ok with me

Revision history for this message

Jay Pipes (jaypipes) wrote on 2012-01-12:

@ttx I made those other reports public on request from Mark so he could add them as targets for stable/diablo. Sorry for unsetting the security checkboxes...

Revision history for this message

Mark McLoughlin (markmc) wrote on 2012-01-12:

@jaypipes different set of bugs; the ones I asked you to open were ones which were already fixed on stable/diablo, so the vulnerabilities were already public knowledge. I only asked you to open them after talking to @ttx

AFAIK the bugs @ttx are talking about is where we said "because it's only a password in debug logs, this bug isn't high enough impact to keep private in advance of fixing it, so let's make it public". I can't find a good example now, but I definitely recall something lke

Revision history for this message

Jay Pipes (jaypipes) wrote on 2012-01-12:

Gotcha. Yeah, I'm fine making this public... was just playing it safe originally.

visibility:

private → public

Thierry Carrez (ttx) on 2012-01-13

Changed in nova:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-01-23:

Suggestion on fix: better to remove the RPC received tracing completely, or implement some smart filtering of the contents before display ? The latter sounds a bit expensive.

Thierry Carrez (ttx) on 2012-01-24

Changed in nova:
assignee:	nobody → Thierry Carrez (ttx)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-01-24: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/3348

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-01-25: Fix merged to nova (master)

Reviewed: https://review.openstack.org/3348
Committed: http://github.com/openstack/nova/commit/fa10e7ad5b3f6ab5de5b7b187da7a8bf05a263d5
Submitter: Jenkins
Branch: master

commit fa10e7ad5b3f6ab5de5b7b187da7a8bf05a263d5
Author: Thierry Carrez <email address hidden>
Date: Tue Jan 24 14:25:26 2012 +0100

Do not output admin_password in debug logs

Sanitize run_instance's admin_password argument from
nova.rpc 'received' debug logging. Fixes bug 915025.

Change-Id: I9004dee422a9e5411b8e440ab80030849d137dab

Changed in nova:
status:	In Progress → Fix Committed

Russell Bryant (russellb) on 2012-02-09

Changed in nova:
milestone:	none → essex-4

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-02-09: Fix proposed to nova (stable/diablo)

#10

Fix proposed to branch: stable/diablo
Review: https://review.openstack.org/3960

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-02-13: Fix merged to nova (stable/diablo)

#11

Reviewed: https://review.openstack.org/3960
Committed: http://github.com/openstack/nova/commit/552a53d49d7fbf190f1478b110f6934ebb0620c4
Submitter: Jenkins
Branch: stable/diablo

commit 552a53d49d7fbf190f1478b110f6934ebb0620c4
Author: Russell Bryant <email address hidden>
Date: Thu Feb 9 09:39:15 2012 -0500

Don't log sensitive data in compute log file.

Sanitize run_instance's admin_password argument from
nova.rpc 'received' debug logging. Fixes bug 915025.

Sanitize new_pass from set_admin_password. Fixes bug 920687.

    Manually merged from:
      ccbc940211c348940ca9766ef60328302a080f9a
      fa10e7ad5b3f6ab5de5b7b187da7a8bf05a263d5

Change-Id: I3af8263f88ef2e68d5d7f6d8c4824737fffcf461

tags:

added: in-stable-diablo

Thierry Carrez (ttx) on 2012-02-29

Changed in nova:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-04-05

Changed in nova:
milestone:	essex-4 → 2012.1

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.