OpenStack shell print credentials by default in debug mode

Bug #1327019 reported by Xu Han Peng
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance Client
Undecided
lvdongbing
OpenStack Security Advisory
Undecided
Unassigned
python-ceilometerclient
Undecided
Zhikun Liu
python-cinderclient
Undecided
lvdongbing
python-heatclient
Fix Released
Undecided
lvdongbing
python-neutronclient
Undecided
Unassigned
python-novaclient
High
Qin Zhao

Bug Description

OpenStack shell client prints credential information (user password and user token) by default in debug mode.

For example:

neutron --debug net-list
DEBUG: neutronclient.neutron.v2_0.network.ListNetwork get_data(Namespace(columns=[], fields=[], formatter='table', page_size=None, quote_mode='nonnumeric', request_format='json', show_details=False, sort_dir=[], sort_key=[]))
DEBUG: neutronclient.client
REQ: curl -i http://10.9.0.51:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" -d '{"auth": {"tenantName": "service", "passwordCredentials": {"username": "admin", "password": "openstack1"}}}'

Other components also has the credentials in debug mode.

This behavior exposes a vulnerability to print sensitive information by shell when user didn't expect so.

Xu Han Peng (xuhanp)
affects: neutron → python-neutronclient
Changed in python-neutronclient:
assignee: nobody → Xu Han Peng (xuhanp)
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Hello,

thanks for the report, the OSSA task is set to Won't Fix because password leak in debug mode does not warrant an advisory.

Changed in ossa:
status: New → Won't Fix
Xu Han Peng (xuhanp)
information type: Private Security → Public
summary: - neutronclient shell print credentials by default in debug mode
+ OpenStack shell print credentials by default in debug mode
Xu Han Peng (xuhanp)
description: updated
no longer affects: nova
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-neutronclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/104497

Changed in python-neutronclient:
assignee: Xu Han Peng (xuhanp) → Feng Ju (jufeng)
status: New → In Progress
Changed in python-neutronclient:
assignee: Feng Ju (jufeng) → Xu Han Peng (xuhanp)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-ceilometerclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/106932

Changed in python-ceilometerclient:
assignee: nobody → Zhi Kun Liu (zhikunliu)
status: New → In Progress
Changed in python-novaclient:
assignee: nobody → Qin Zhao (zhaoqin)
status: New → In Progress
Revision history for this message
Qin Zhao (zhaoqin) wrote :

Code change for Nova client is proposed https://review.openstack.org/#/c/106987/

Revision history for this message
gordon chung (chungg) wrote :

should this be done in oslo client code? so we don't have x different solutions running around?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-ceilometerclient (master)

Reviewed: https://review.openstack.org/106932
Committed: https://git.openstack.org/cgit/openstack/python-ceilometerclient/commit/?id=e5048043e211ea9cc094e439a51099fdc7e38e2e
Submitter: Jenkins
Branch: master

commit e5048043e211ea9cc094e439a51099fdc7e38e2e
Author: Zhi Kun Liu <email address hidden>
Date: Tue Jul 15 13:17:05 2014 +0800

    Don't expose X-Auth-Token in ceilometer CLI

    Ceilometer CLI exposes X-Auth-Token in debug mode. This patch
    replaces X-Auth-Token's value with '{SHA1}<sha1oftoken>'. Some
    credentials are exposed by keystoneclient as ceilometerclient
    uses keystoneclient to authenticate, it will be fixed in bug:
    100414.

    Change-Id: Ia6364314e4b4d26301f974582c0c2ba34b054c86
    Partial-Bug: #1327019

lvdongbing (dbcocle)
Changed in python-heatclient:
assignee: nobody → lvdongbing (dbcocle)
Changed in python-cinderclient:
assignee: nobody → lvdongbing (dbcocle)
lvdongbing (dbcocle)
Changed in python-heatclient:
assignee: lvdongbing (dbcocle) → nobody
status: New → Fix Committed
Changed in python-glanceclient:
status: New → Fix Committed
lvdongbing (dbcocle)
Changed in python-heatclient:
assignee: nobody → lvdongbing (dbcocle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-heatclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/109234

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-glanceclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/109239

lvdongbing (dbcocle)
Changed in python-glanceclient:
status: Fix Committed → New
Changed in python-heatclient:
status: Fix Committed → New
Changed in python-glanceclient:
assignee: nobody → lvdongbing (dbcocle)
Changed in python-glanceclient:
status: New → In Progress
Changed in python-heatclient:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-cinderclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/109808

Changed in python-cinderclient:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-novaclient (master)

Reviewed: https://review.openstack.org/106987
Committed: https://git.openstack.org/cgit/openstack/python-novaclient/commit/?id=60d1283968643064351f182483b0df0ac93f6640
Submitter: Jenkins
Branch: master

commit 60d1283968643064351f182483b0df0ac93f6640
Author: Qin Zhao <email address hidden>
Date: Tue Jul 15 18:25:57 2014 +0800

    Don't log sensitive auth data

    This code change redacts the password in keystone request, and
    also redact the token text in keystone response. The code still
    makes REST call by itelf, instead of calling keystone client.

    Closes-Bug: 1327019

    Change-Id: Ib9c0610c1ef351a127364478721cf961c2a30125

Changed in python-novaclient:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-cinderclient (master)

Change abandoned by Huang Zhiteng (<email address hidden>) on branch: master
Review: https://review.openstack.org/109808

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-heatclient (master)

Reviewed: https://review.openstack.org/109234
Committed: https://git.openstack.org/cgit/openstack/python-heatclient/commit/?id=99fabf0dceb04517c88b45609d1d0a1ff829f892
Submitter: Jenkins
Branch: master

commit 99fabf0dceb04517c88b45609d1d0a1ff829f892
Author: lvdongbing <email address hidden>
Date: Thu Jul 24 17:49:32 2014 +0800

    Don't expose X-Auth-Token in heat CLI

    Heat CLI exposes X-Auth-Token in debug mode. This patch replaces
    X-Auth-Token's value with '{SHA1}<sha1oftoken>'. Some credentials
    are exposed by keystoneclient as heatclient uses keystoneclient to
    authenticate, it will be fixed in bug:100414.

    Change-Id: Ic768af5a947535807ba449fb0aeb1eb98dac56e6
    Partial-Bug: #1327019

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-glanceclient (master)

Change abandoned by Flavio Percoco (<email address hidden>) on branch: master
Review: https://review.openstack.org/109239
Reason: Superseded Change-Id: I3045d6d9d2a13770f4022dbbd474b34eb1032f6e

Michael Still (mikal)
Changed in python-novaclient:
importance: Undecided → High
Michael Still (mikal)
Changed in python-novaclient:
milestone: none → 2.19.0
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-neutronclient (master)

Change abandoned by Kyle Mestery (<email address hidden>) on branch: master
Review: https://review.openstack.org/104497
Reason: This change is old enough and hasn't seen any updates since July 10, 2014. Abandoning it, please revive it if you plan to work on it again.

Changed in python-heatclient:
status: In Progress → Fix Released
Zhikun Liu (zhikunliu)
Changed in python-ceilometerclient:
status: In Progress → Fix Released
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 172 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in python-neutronclient:
assignee: Xu Han Peng (xuhanp) → nobody
status: In Progress → Incomplete
Revision history for this message
Sean McGinnis (sean-mcginnis) wrote :

Unable to reproduce with the current cinderclient.

Changed in python-cinderclient:
status: In Progress → Invalid
Revision history for this message
Akihiro Motoki (amotoki) wrote :

neutron CLI now uses keystoneauth and keystoneauth handles it.

There might be the issue in past releases but there is no issue in the current supported releases (mitaka and later)

Changed in python-neutronclient:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers