[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)

See related bug 1321785 for obfuscating the block device mapping connection_info dict.

Confirmed that the StorageError in the volume_utils code would get raised up through the attach_volume method in the virt driver and that would be logged here:

https://github.com/openstack/nova/blob/12.0.0/nova/virt/block_device.py#L259

Fix proposed to branch: master
Review: https://review.openstack.org/245987

Just to make sure, the exception will be logged without DEBUG mode right ?

Reviewed: https://review.openstack.org/245987
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=8b289237ed6d53738c22878decf0c429301cf3d0
Submitter: Jenkins
Branch: master

commit 8b289237ed6d53738c22878decf0c429301cf3d0
Author: Matt Riedemann <email address hidden>
Date: Mon Nov 16 13:11:09 2015 -0800

    xen: mask passwords in volume connection_data dict

    The connection_data dict can have credentials in it, so we need to scrub
    those before putting the stringified dict into the StorageError message
    and raising that up and when logging the dict.

    Note that strutils.mask_password converts the dict to a string using
    six.text_type so we don't have to do that conversion first.

    SecurityImpact

    Change-Id: Ic5f4d4c26794550a92481bf2b725ef5eafa581b2
    Closes-Bug: #1516765

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/247825

Reviewed: https://review.openstack.org/247825
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=cf197ec2d682fb4da777df2291ca7ef101f73b77
Submitter: Jenkins
Branch: stable/liberty

commit cf197ec2d682fb4da777df2291ca7ef101f73b77
Author: Matt Riedemann <email address hidden>
Date: Mon Nov 16 13:11:09 2015 -0800

    xen: mask passwords in volume connection_data dict

    The connection_data dict can have credentials in it, so we need to scrub
    those before putting the stringified dict into the StorageError message
    and raising that up and when logging the dict.

    Note that strutils.mask_password converts the dict to a string using
    six.text_type so we don't have to do that conversion first.

    SecurityImpact

    Change-Id: Ic5f4d4c26794550a92481bf2b725ef5eafa581b2
    Closes-Bug: #1516765
    (cherry picked from commit 8b289237ed6d53738c22878decf0c429301cf3d0)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/249239

@Tristan, per comment 4, yeah it can fail on attach and be logged here at ERROR level:

https://github.com/openstack/nova/blob/12.0.0/nova/virt/block_device.py#L259

This issue was fixed in the openstack/nova 13.0.0.0b1 development milestone.

Reviewed: https://review.openstack.org/249239
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=ef1ccdaca9512b88878155f7d8c2c77853d91252
Submitter: Jenkins
Branch: stable/kilo

commit ef1ccdaca9512b88878155f7d8c2c77853d91252
Author: Matt Riedemann <email address hidden>
Date: Mon Nov 16 13:11:09 2015 -0800

    xen: mask passwords in volume connection_data dict

    The connection_data dict can have credentials in it, so we need to scrub
    those before putting the stringified dict into the StorageError message
    and raising that up and when logging the dict.

    Note that strutils.mask_password converts the dict to a string using
    six.text_type so we don't have to do that conversion first.

    SecurityImpact

    Change-Id: Ic5f4d4c26794550a92481bf2b725ef5eafa581b2
    Closes-Bug: #1516765
    (cherry picked from commit 8b289237ed6d53738c22878decf0c429301cf3d0)
    (cherry picked from commit cf197ec2d682fb4da777df2291ca7ef101f73b77)

Does this seem like a reasonable / correct impact description for this:

Title: Potential Xen connection password leak via StorageError
Reporter: Matt Riedemann (IBM)
Products: Nova
Affects: >= 2014.2 <= 2015.1.2, ==12.0.0

Description:
Mat Riedemann from IBM reported a information disclosure vulnerability
in Nova. If a StorageError occurs when attempting to connect a volume
using the Xen API, the connection parameters will be logged. These
parameters may include credentials which are not masked. An attacker
with read access to Nova logs could use these credentials with the
Xen API directly. Only Nova setups using the Xen backend are affected
by this flaw.

This is looking good to me Tony, thanks!
Though, the title could be a bit less dramatic if it also mentions "leak in log".

Spelling my name correctly in the description would be nice (Matt). :)

lol sorry matt.

Title: Xen connection password leak in logs via StorageError
Reporter: Matt Riedemann (IBM)
Products: Nova
Affects: >= 2014.2 <= 2015.1.2, ==12.0.0

Description:
Matt Riedemann from IBM reported an information disclosure vulnerability
in Nova. If a StorageError occurs when attempting to connect a volume
using the Xen API, the connection parameters will be logged. These
parameters may include credentials that are not masked. An attacker
with read access to Nova logs could use these credentials with the
Xen API directly. Only Nova deployments using the Xen backend are
affected by this flaw.

Per:

Affects: >= 2014.2 <= 2015.1.2, ==12.0.0

That's Juno, Kilo and Liberty, respectively. Since Icehouse was EOL at the time that I was checking this, I didn't include that in the bug report, but if it is affected do we need to list it (and previous versions)? If needed I can figure that out, I'll have to do it internally anyway since we still support going back to Grizzly. But if it's not something you'd put in that impact statement, nevermind.

FWIW I based the version range on: git tag --contains 49765dda1021a96abd2d87aa642d65c299fbd69d

Oh well, if the oldest version affected is not easily identified, we can leave it open-ended: like this:

Affects: <= 2015.1.2, ==12.0.0

Else, the impact description proposed in comment #15 LGTM. Thanks Grant*

Related fix proposed to branch: stable/liberty
Review: https://review.openstack.org/267178

Reviewed: https://review.openstack.org/267178
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=b2acc9fa864b6fe10bc0c5f3786b976b472b1b27
Submitter: Jenkins
Branch: stable/liberty

commit b2acc9fa864b6fe10bc0c5f3786b976b472b1b27
Author: Matt Riedemann <email address hidden>
Date: Wed Jan 13 09:41:57 2016 -0800

    Add security fixes to the release notes for 12.0.1

    There are two security fixes in the upcoming stable/liberty
    point release (12.0.1) so we should document those in the
    release notes.

    This shouldn't be merged until I11485f077d28f4e97529a691e55e3e3c0bea8872
    is merged. We don't use Depends-On here since we don't want to hold this
    up on the stable/kilo backport of that change.

    Change-Id: Ib2235d6aee540d9010dc86c73aff71179d46e921
    Related-Bug: #1516765
    Related-Bug: #1524274

This issue was fixed in the openstack/nova 12.0.1 release.

Related fix proposed to branch: master
Review: https://review.openstack.org/291208

Reviewed: https://review.openstack.org/291208
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9c0bbda07fdcf134308371644d09becbb18c62b1
Submitter: Jenkins
Branch: master

commit 9c0bbda07fdcf134308371644d09becbb18c62b1
Author: Matt Riedemann <email address hidden>
Date: Thu Mar 10 09:35:00 2016 -0500

    Add release notes for security fixes in 13.0.0 mitaka GA

    There are three security issues fixed in mitaka.

    The first two were documented for liberty 12.0.1 but we
    apparently forgot to doc them for mitaka.

    Related-Bug: #1524274
    Related-Bug: #1516765
    Related-Bug: #1548450

    Change-Id: I3eba75f1fc86c4c9abd258042dfafc6df1f2405c