OpenStack Object Storage (swift)

  1. Bug #1655703
  2. Activity log

Activity log for bug #1655703

Date Who What changed Old value New value Message
2017-01-11 16:28:45 Rahul U Nair bug added bug
2017-01-11 17:27:52 Jeremy Stanley bug added subscriber Swift Core security contacts
2017-01-11 17:28:39 Jeremy Stanley description When using a token to do an AUTH_test, the swift proxy logs the token used if successful, this can lead to possible security issue by granting access to a swift cluster to a person who just has access to the logs. This issue is present when tempAuth authentication flow is used. The steps to recreate the issue: 1. Install a swift all in one Instance (SAIO). 2. Retrieve admin token from cli using the command inside of an SAIO cluster, ``` swift -A http://saio:8080/auth/v1.0 -U admin:admin -K admin stat -v`` ``` 3. Retrieve the auth token from CLI and issue the command, ``` curl -i http://saio:8080/v1/AUTH_test -I -H "X-Auth-Token: AUTH_tk44d4f00971ed412396b602e46aeef57c" ``` The log written to disk when this command is executed has the token AUTH_tk44d4f00971ed412396b602e46aeef57c written to it as well. ``` Jan 10 21:31:58 ubuntu-xenial proxy-server: STDERR: (28655) accepted ('127.0.0.1', 48506) Jan 10 21:31:58 ubuntu-xenial proxy-server: User: admin uses token AUTH_tk44d4f00971ed412396b602e46aeef57c (trans_id tx77daa27b44374e688cb82-00587552ce) Jan 10 21:31:58 ubuntu-xenial proxy-server: User admin:admin has reseller admin authorizing. (txn: tx77daa27b44374e688cb82-00587552ce) (client_ip: 127.0.0.1) Jan 10 21:31:58 ubuntu-xenial account-6012: STDERR: (28635) accepted ('127.0.0.1', 46292) Jan 10 21:31:58 ubuntu-xenial account-6012: 127.0.0.1 - - [10/Jan/2017:21:31:58 +0000] "HEAD /sdb1/802/AUTH_test" 204 - "HEAD http://saio:8080/v1/AUTH_test" "tx77daa27b44374e688cb82-00587552ce" "proxy-server 28655" 0.0011 "-" 28635 - Jan 10 21:31:58 ubuntu-xenial account-6012: STDERR: 127.0.0.1 - - [10/Jan/2017 21:31:58] "HEAD /sdb1/802/AUTH_test HTTP/1.1" 204 442 0.002273 (txn: tx77daa27b44374e688cb82-00587552ce) Jan 10 21:31:58 ubuntu-xenial proxy-server: removed response headers: [('X-Backend-Recheck-Account-Existence', '60')] (txn: tx77daa27b44374e688cb82-00587552ce) (client_ip: 127.0.0.1) Jan 10 21:31:58 ubuntu-xenial proxy-server: 127.0.0.1 127.0.0.1 10/Jan/2017/21/31/58 HEAD /v1/AUTH_test HTTP/1.0 204 - curl/7.47.0 AUTH_tk44d4f0097... - - - tx77daa27b44374e688cb82-00587552ce - 0.0267 - - 1484083918.178980112 1484083918.205643892 - Jan 10 ``` This is part of the swift security testing done as part of OSIC. Kindly comment if this is considered as a security issue in swift. From our perspective, under no circumstance the Auth Token be written to log files as then it can be accessed by a possible third party. This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. When using a token to do an AUTH_test, the swift proxy logs the token used if successful, this can lead to possible security issue by granting access to a swift cluster to a person who just has access to the logs. This issue is present when tempAuth authentication flow is used. The steps to recreate the issue: 1. Install a swift all in one Instance (SAIO). 2. Retrieve admin token from cli using the command inside of an SAIO cluster, ``` swift -A http://saio:8080/auth/v1.0 -U admin:admin -K admin stat -v`` ``` 3. Retrieve the auth token from CLI and issue the command, ``` curl -i http://saio:8080/v1/AUTH_test -I -H "X-Auth-Token: AUTH_tk44d4f00971ed412396b602e46aeef57c" ``` The log written to disk when this command is executed has the token AUTH_tk44d4f00971ed412396b602e46aeef57c written to it as well. ``` Jan 10 21:31:58 ubuntu-xenial proxy-server: STDERR: (28655) accepted ('127.0.0.1', 48506) Jan 10 21:31:58 ubuntu-xenial proxy-server: User: admin uses token AUTH_tk44d4f00971ed412396b602e46aeef57c (trans_id tx77daa27b44374e688cb82-00587552ce) Jan 10 21:31:58 ubuntu-xenial proxy-server: User admin:admin has reseller admin authorizing. (txn: tx77daa27b44374e688cb82-00587552ce) (client_ip: 127.0.0.1) Jan 10 21:31:58 ubuntu-xenial account-6012: STDERR: (28635) accepted ('127.0.0.1', 46292) Jan 10 21:31:58 ubuntu-xenial account-6012: 127.0.0.1 - - [10/Jan/2017:21:31:58 +0000] "HEAD /sdb1/802/AUTH_test" 204 - "HEAD http://saio:8080/v1/AUTH_test" "tx77daa27b44374e688cb82-00587552ce" "proxy-server 28655" 0.0011 "-" 28635 - Jan 10 21:31:58 ubuntu-xenial account-6012: STDERR: 127.0.0.1 - - [10/Jan/2017 21:31:58] "HEAD /sdb1/802/AUTH_test HTTP/1.1" 204 442 0.002273 (txn: tx77daa27b44374e688cb82-00587552ce) Jan 10 21:31:58 ubuntu-xenial proxy-server: removed response headers: [('X-Backend-Recheck-Account-Existence', '60')] (txn: tx77daa27b44374e688cb82-00587552ce) (client_ip: 127.0.0.1) Jan 10 21:31:58 ubuntu-xenial proxy-server: 127.0.0.1 127.0.0.1 10/Jan/2017/21/31/58 HEAD /v1/AUTH_test HTTP/1.0 204 - curl/7.47.0 AUTH_tk44d4f0097... - - - tx77daa27b44374e688cb82-00587552ce - 0.0267 - - 1484083918.178980112 1484083918.205643892 - Jan 10 ``` This is part of the swift security testing done as part of OSIC. Kindly comment if this is considered as a security issue in swift. From our perspective, under no circumstance the Auth Token be written to log files as then it can be accessed by a possible third party.
2017-01-11 17:28:53 Jeremy Stanley bug task added ossa
2017-01-11 17:29:30 Jeremy Stanley ossa: status New Incomplete
2017-01-11 18:09:43 Rahul U Nair bug added subscriber Michael Xin
2017-01-11 18:48:06 Jeremy Stanley ossa: status Incomplete Won't Fix
2017-01-11 18:48:12 Jeremy Stanley information type Private Security Public
2017-02-09 17:39:06 Rahul U Nair swift: status New Confirmed
2019-08-29 19:57:01 Jeremy Stanley description This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. When using a token to do an AUTH_test, the swift proxy logs the token used if successful, this can lead to possible security issue by granting access to a swift cluster to a person who just has access to the logs. This issue is present when tempAuth authentication flow is used. The steps to recreate the issue: 1. Install a swift all in one Instance (SAIO). 2. Retrieve admin token from cli using the command inside of an SAIO cluster, ``` swift -A http://saio:8080/auth/v1.0 -U admin:admin -K admin stat -v`` ``` 3. Retrieve the auth token from CLI and issue the command, ``` curl -i http://saio:8080/v1/AUTH_test -I -H "X-Auth-Token: AUTH_tk44d4f00971ed412396b602e46aeef57c" ``` The log written to disk when this command is executed has the token AUTH_tk44d4f00971ed412396b602e46aeef57c written to it as well. ``` Jan 10 21:31:58 ubuntu-xenial proxy-server: STDERR: (28655) accepted ('127.0.0.1', 48506) Jan 10 21:31:58 ubuntu-xenial proxy-server: User: admin uses token AUTH_tk44d4f00971ed412396b602e46aeef57c (trans_id tx77daa27b44374e688cb82-00587552ce) Jan 10 21:31:58 ubuntu-xenial proxy-server: User admin:admin has reseller admin authorizing. (txn: tx77daa27b44374e688cb82-00587552ce) (client_ip: 127.0.0.1) Jan 10 21:31:58 ubuntu-xenial account-6012: STDERR: (28635) accepted ('127.0.0.1', 46292) Jan 10 21:31:58 ubuntu-xenial account-6012: 127.0.0.1 - - [10/Jan/2017:21:31:58 +0000] "HEAD /sdb1/802/AUTH_test" 204 - "HEAD http://saio:8080/v1/AUTH_test" "tx77daa27b44374e688cb82-00587552ce" "proxy-server 28655" 0.0011 "-" 28635 - Jan 10 21:31:58 ubuntu-xenial account-6012: STDERR: 127.0.0.1 - - [10/Jan/2017 21:31:58] "HEAD /sdb1/802/AUTH_test HTTP/1.1" 204 442 0.002273 (txn: tx77daa27b44374e688cb82-00587552ce) Jan 10 21:31:58 ubuntu-xenial proxy-server: removed response headers: [('X-Backend-Recheck-Account-Existence', '60')] (txn: tx77daa27b44374e688cb82-00587552ce) (client_ip: 127.0.0.1) Jan 10 21:31:58 ubuntu-xenial proxy-server: 127.0.0.1 127.0.0.1 10/Jan/2017/21/31/58 HEAD /v1/AUTH_test HTTP/1.0 204 - curl/7.47.0 AUTH_tk44d4f0097... - - - tx77daa27b44374e688cb82-00587552ce - 0.0267 - - 1484083918.178980112 1484083918.205643892 - Jan 10 ``` This is part of the swift security testing done as part of OSIC. Kindly comment if this is considered as a security issue in swift. From our perspective, under no circumstance the Auth Token be written to log files as then it can be accessed by a possible third party. When using a token to do an AUTH_test, the swift proxy logs the token used if successful, this can lead to possible security issue by granting access to a swift cluster to a person who just has access to the logs. This issue is present when tempAuth authentication flow is used. The steps to recreate the issue: 1. Install a swift all in one Instance (SAIO). 2. Retrieve admin token from cli using the command inside of an SAIO cluster, ``` swift -A http://saio:8080/auth/v1.0 -U admin:admin -K admin stat -v`` ``` 3. Retrieve the auth token from CLI and issue the command, ``` curl -i http://saio:8080/v1/AUTH_test -I -H "X-Auth-Token: AUTH_tk44d4f00971ed412396b602e46aeef57c" ``` The log written to disk when this command is executed has the token AUTH_tk44d4f00971ed412396b602e46aeef57c written to it as well. ``` Jan 10 21:31:58 ubuntu-xenial proxy-server: STDERR: (28655) accepted ('127.0.0.1', 48506) Jan 10 21:31:58 ubuntu-xenial proxy-server: User: admin uses token AUTH_tk44d4f00971ed412396b602e46aeef57c (trans_id tx77daa27b44374e688cb82-00587552ce) Jan 10 21:31:58 ubuntu-xenial proxy-server: User admin:admin has reseller admin authorizing. (txn: tx77daa27b44374e688cb82-00587552ce) (client_ip: 127.0.0.1) Jan 10 21:31:58 ubuntu-xenial account-6012: STDERR: (28635) accepted ('127.0.0.1', 46292) Jan 10 21:31:58 ubuntu-xenial account-6012: 127.0.0.1 - - [10/Jan/2017:21:31:58 +0000] "HEAD /sdb1/802/AUTH_test" 204 - "HEAD http://saio:8080/v1/AUTH_test" "tx77daa27b44374e688cb82-00587552ce" "proxy-server 28655" 0.0011 "-" 28635 - Jan 10 21:31:58 ubuntu-xenial account-6012: STDERR: 127.0.0.1 - - [10/Jan/2017 21:31:58] "HEAD /sdb1/802/AUTH_test HTTP/1.1" 204 442 0.002273 (txn: tx77daa27b44374e688cb82-00587552ce) Jan 10 21:31:58 ubuntu-xenial proxy-server: removed response headers: [('X-Backend-Recheck-Account-Existence', '60')] (txn: tx77daa27b44374e688cb82-00587552ce) (client_ip: 127.0.0.1) Jan 10 21:31:58 ubuntu-xenial proxy-server: 127.0.0.1 127.0.0.1 10/Jan/2017/21/31/58 HEAD /v1/AUTH_test HTTP/1.0 204 - curl/7.47.0 AUTH_tk44d4f0097... - - - tx77daa27b44374e688cb82-00587552ce - 0.0267 - - 1484083918.178980112 1484083918.205643892 - Jan 10 ``` This is part of the swift security testing done as part of OSIC. Kindly comment if this is considered as a security issue in swift. From our perspective, under no circumstance the Auth Token be written to log files as then it can be accessed by a possible third party.