Comment 17 for bug 1321080
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: auth token is exposed in meter http.request | #17 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
@Zhi Kun Liu, Havana is impacted as well ?
@All, While oslo-incubator is not supported, should we include it in this OSSA ? Is it realistic to use this middleware out of Oslo in another service or only Neutron and Ceilometer are actually impacted ?
In the meantime, here is the impact description draft #1:
Title: User token leak to message queue in the notifier middleware
Reporter: Zhi Kun Liu (IBM)
Products: Neutron, Ceilometer, Oslo
Versions: 2014.1.1
Description:
Zhi Kun Liu from IBM reported a vulnerability in the notifier middleware available in Neutron and Ceilometer or through the Oslo library. An attacker with read access to the message queue may obtain authentication tokens used in REST requests (X_AUTH_TOKEN) that goes through the notifier middleware. All services using the notifier middleware configured after the auth_token middleware pipeline are impacted.