Activity log for bug #1655781

Date Who What changed Old value New value Message
2017-01-11 23:11:20 Rahul U Nair bug added bug
2017-01-12 00:42:00 Jeremy Stanley description Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used. Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file Steps to trigger the issue: 1. Enable `swauth` authentication middleware 2. Retieve token using: ``` swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v ``` Logs written when the above command is excecuted has the token as well: ``` Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 +0000] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 "GET http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0 Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET /v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - python-swiftclient-3.2.1.dev9%20Swauth - - 194 - txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 1484175082.427867889 0 Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea) ``` 3. After retrieving the token from the logfile, I was able to execute this command as below, ``` curl -i http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json -X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" ``` The output obtained: ``` HTTP/1.1 200 OK Content-Length: 2 Accept-Ranges: bytes X-Timestamp: 1484167500.58887 X-Account-Bytes-Used: 0 X-Account-Container-Count: 0 Content-Type: application/json; charset=utf-8 X-Account-Object-Count: 0 X-Trans-Id: txbd83d5254a404647bb086-005876ba2a X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a Date: Wed, 11 Jan 2017 23:05:14 GMT ``` As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue. [1]. https://github.com/openstack/swauth This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used. Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file Steps to trigger the issue: 1. Enable `swauth` authentication middleware 2. Retieve token using: ``` swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v ``` Logs written when the above command is excecuted has the token as well: ``` Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 +0000] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 "GET http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0 Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET /v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - python-swiftclient-3.2.1.dev9%20Swauth - - 194 - txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 1484175082.427867889 0 Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea) ``` 3. After retrieving the token from the logfile, I was able to execute this command as below, ``` curl -i http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json -X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" ``` The output obtained: ``` HTTP/1.1 200 OK Content-Length: 2 Accept-Ranges: bytes X-Timestamp: 1484167500.58887 X-Account-Bytes-Used: 0 X-Account-Container-Count: 0 Content-Type: application/json; charset=utf-8 X-Account-Object-Count: 0 X-Trans-Id: txbd83d5254a404647bb086-005876ba2a X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a Date: Wed, 11 Jan 2017 23:05:14 GMT ``` As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue. [1]. https://github.com/openstack/swauth
2017-01-12 00:42:18 Jeremy Stanley bug added subscriber Swift Core security contacts
2017-01-12 00:42:41 Jeremy Stanley bug task added ossa
2017-01-12 00:43:01 Jeremy Stanley ossa: status New Incomplete
2017-03-20 14:36:10 Jeremy Stanley bug task added swauth
2017-11-02 07:51:43 Tristan Cacqueray bug added subscriber Ondřej Nový
2017-11-06 13:08:45 Ondřej Nový bug added subscriber Pavel Kvasnička
2017-11-06 13:28:30 Ondřej Nový swauth: assignee Pavel Kvasnička (pavel-kvasnicka)
2017-11-06 13:28:36 Ondřej Nový swauth: status New In Progress
2017-11-07 09:48:40 Ondřej Nový cve linked 2017-16613
2017-11-21 11:22:14 Ondřej Nový information type Private Security Public Security
2017-11-21 11:32:21 Ondřej Nový swauth: importance Undecided High
2017-11-21 11:35:09 Pavel Kvasnička swauth: status In Progress Confirmed
2017-11-21 11:35:17 Pavel Kvasnička swauth: status Confirmed In Progress
2017-11-21 11:52:50 Ondřej Nový bug watch added https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882314
2017-11-21 18:08:53 Jeremy Stanley description This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used. Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file Steps to trigger the issue: 1. Enable `swauth` authentication middleware 2. Retieve token using: ``` swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v ``` Logs written when the above command is excecuted has the token as well: ``` Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 +0000] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 "GET http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0 Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET /v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - python-swiftclient-3.2.1.dev9%20Swauth - - 194 - txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 1484175082.427867889 0 Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea) ``` 3. After retrieving the token from the logfile, I was able to execute this command as below, ``` curl -i http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json -X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" ``` The output obtained: ``` HTTP/1.1 200 OK Content-Length: 2 Accept-Ranges: bytes X-Timestamp: 1484167500.58887 X-Account-Bytes-Used: 0 X-Account-Container-Count: 0 Content-Type: application/json; charset=utf-8 X-Account-Object-Count: 0 X-Trans-Id: txbd83d5254a404647bb086-005876ba2a X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a Date: Wed, 11 Jan 2017 23:05:14 GMT ``` As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue. [1]. https://github.com/openstack/swauth Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used. Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file Steps to trigger the issue: 1. Enable `swauth` authentication middleware 2. Retieve token using: ``` swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v ``` Logs written when the above command is excecuted has the token as well: ``` Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 +0000] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 "GET http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0 Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET /v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - python-swiftclient-3.2.1.dev9%20Swauth - - 194 - txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 1484175082.427867889 0 Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea) ``` 3. After retrieving the token from the logfile, I was able to execute this command as below, ``` curl -i http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json -X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" ``` The output obtained: ``` HTTP/1.1 200 OK Content-Length: 2 Accept-Ranges: bytes X-Timestamp: 1484167500.58887 X-Account-Bytes-Used: 0 X-Account-Container-Count: 0 Content-Type: application/json; charset=utf-8 X-Account-Object-Count: 0 X-Trans-Id: txbd83d5254a404647bb086-005876ba2a X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a Date: Wed, 11 Jan 2017 23:05:14 GMT ``` As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue. [1]. https://github.com/openstack/swauth
2017-11-21 18:09:36 Jeremy Stanley ossa: status Incomplete Won't Fix