| 2017-01-11 23:11:20 |
Rahul U Nair |
bug |
|
|
added bug |
| 2017-01-12 00:42:00 |
Jeremy Stanley |
description |
Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used.
Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file
Steps to trigger the issue:
1. Enable `swauth` authentication middleware
2. Retieve token using:
```
swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v
```
Logs written when the above command is excecuted has the token as well:
```
Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 +0000] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 "GET http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0
Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET /v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - python-swiftclient-3.2.1.dev9%20Swauth - - 194 - txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 1484175082.427867889 0
Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea)
```
3. After retrieving the token from the logfile, I was able to execute this command as below,
```
curl -i http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json -X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0"
```
The output obtained:
```
HTTP/1.1 200 OK
Content-Length: 2
Accept-Ranges: bytes
X-Timestamp: 1484167500.58887
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: application/json; charset=utf-8
X-Account-Object-Count: 0
X-Trans-Id: txbd83d5254a404647bb086-005876ba2a
X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a
Date: Wed, 11 Jan 2017 23:05:14 GMT
```
As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue.
[1]. https://github.com/openstack/swauth |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used.
Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file
Steps to trigger the issue:
1. Enable `swauth` authentication middleware
2. Retieve token using:
```
swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v
```
Logs written when the above command is excecuted has the token as well:
```
Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 +0000] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 "GET http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0
Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET /v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - python-swiftclient-3.2.1.dev9%20Swauth - - 194 - txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 1484175082.427867889 0
Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea)
```
3. After retrieving the token from the logfile, I was able to execute this command as below,
```
curl -i http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json -X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0"
```
The output obtained:
```
HTTP/1.1 200 OK
Content-Length: 2
Accept-Ranges: bytes
X-Timestamp: 1484167500.58887
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: application/json; charset=utf-8
X-Account-Object-Count: 0
X-Trans-Id: txbd83d5254a404647bb086-005876ba2a
X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a
Date: Wed, 11 Jan 2017 23:05:14 GMT
```
As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue.
[1]. https://github.com/openstack/swauth |
|
| 2017-01-12 00:42:18 |
Jeremy Stanley |
bug |
|
|
added subscriber Swift Core security contacts |
| 2017-01-12 00:42:41 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2017-01-12 00:43:01 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2017-03-20 14:36:10 |
Jeremy Stanley |
bug task added |
|
swauth |
|
| 2017-11-02 07:51:43 |
Tristan Cacqueray |
bug |
|
|
added subscriber Ondřej Nový |
| 2017-11-06 13:08:45 |
Ondřej Nový |
bug |
|
|
added subscriber Pavel Kvasnička |
| 2017-11-06 13:28:30 |
Ondřej Nový |
swauth: assignee |
|
Pavel Kvasnička (pavel-kvasnicka) |
|
| 2017-11-06 13:28:36 |
Ondřej Nový |
swauth: status |
New |
In Progress |
|
| 2017-11-07 09:48:40 |
Ondřej Nový |
cve linked |
|
2017-16613 |
|
| 2017-11-21 11:22:14 |
Ondřej Nový |
information type |
Private Security |
Public Security |
|
| 2017-11-21 11:32:21 |
Ondřej Nový |
swauth: importance |
Undecided |
High |
|
| 2017-11-21 11:35:09 |
Pavel Kvasnička |
swauth: status |
In Progress |
Confirmed |
|
| 2017-11-21 11:35:17 |
Pavel Kvasnička |
swauth: status |
Confirmed |
In Progress |
|
| 2017-11-21 11:52:50 |
Ondřej Nový |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882314 |
|
| 2017-11-21 18:08:53 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used.
Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file
Steps to trigger the issue:
1. Enable `swauth` authentication middleware
2. Retieve token using:
```
swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v
```
Logs written when the above command is excecuted has the token as well:
```
Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 +0000] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 "GET http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0
Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET /v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - python-swiftclient-3.2.1.dev9%20Swauth - - 194 - txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 1484175082.427867889 0
Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea)
```
3. After retrieving the token from the logfile, I was able to execute this command as below,
```
curl -i http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json -X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0"
```
The output obtained:
```
HTTP/1.1 200 OK
Content-Length: 2
Accept-Ranges: bytes
X-Timestamp: 1484167500.58887
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: application/json; charset=utf-8
X-Account-Object-Count: 0
X-Trans-Id: txbd83d5254a404647bb086-005876ba2a
X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a
Date: Wed, 11 Jan 2017 23:05:14 GMT
```
As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue.
[1]. https://github.com/openstack/swauth |
Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used.
Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file
Steps to trigger the issue:
1. Enable `swauth` authentication middleware
2. Retieve token using:
```
swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v
```
Logs written when the above command is excecuted has the token as well:
```
Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 +0000] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 "GET http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0
Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET /v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - python-swiftclient-3.2.1.dev9%20Swauth - - 194 - txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 1484175082.427867889 0
Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea)
```
3. After retrieving the token from the logfile, I was able to execute this command as below,
```
curl -i http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json -X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0"
```
The output obtained:
```
HTTP/1.1 200 OK
Content-Length: 2
Accept-Ranges: bytes
X-Timestamp: 1484167500.58887
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: application/json; charset=utf-8
X-Account-Object-Count: 0
X-Trans-Id: txbd83d5254a404647bb086-005876ba2a
X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a
Date: Wed, 11 Jan 2017 23:05:14 GMT
```
As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue.
[1]. https://github.com/openstack/swauth |
|
| 2017-11-21 18:09:36 |
Jeremy Stanley |
ossa: status |
Incomplete |
Won't Fix |
|
| 2021-09-24 23:05:11 |
Tim Burke |
swift: status |
New |
Invalid |
|
