memcached on under/over clouds can be walked for tokens

Bug #1738835 reported by Derek Higgins on 2017-12-18
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Derek Higgins

Bug Description

memcached in various versions of tripleo contain keystone auth tokens which
can be retrived by a host on the same network.

Memcached in tripleo is running in such a way as to allow users to walk and read the contents. As memcached contains keystone tokens, user with access to the service (e.g. on the management network) can read those tokens.

Derek Higgins (derekh) wrote :

After discussing with various stakeholders, as this requires access to trusted networks we're happy that this doesn't require a embargo. So I propose making it public and fixing in the open.

Jeremy Stanley (fungi) wrote :

Switching to a public workflow makes sense in light of this only being vulnerable to attackers with access to privileged infrastructure networks. If this were a reported vulnerability in a vulnerability:managed deliverable for OpenStack, the I would make the same recommendation on the part of the OpenStack VMT.

Derek Higgins (derekh) wrote :

I sent a PR to puppet-memcached to start the ball rolling here
https://github.com/saz/puppet-memcached/pull/90

Once its merged I'll switch to the public workflow and send patches for the openstack bits

Derek Higgins (derekh) wrote :

The patch to memcached is merged and now in a promoted repository so I'm going to make this public and push some patches to use it

information type: Private Security → Public

Fix proposed to branch: master
Review: https://review.openstack.org/538986

Changed in tripleo:
assignee: nobody → Derek Higgins (derekh)
status: New → In Progress
Changed in tripleo:
importance: Undecided → High
milestone: none → queens-rc1
tags: added: pike-backport-potential
information type: Public → Public Security

Reviewed: https://review.openstack.org/538986
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=a4d6987c744be2ff207e0299e5cb52126cfa9ad3
Submitter: Zuul
Branch: master

commit a4d6987c744be2ff207e0299e5cb52126cfa9ad3
Author: Derek Higgins <email address hidden>
Date: Wed Dec 13 15:30:48 2017 +0000

    Disable memcached's cachedump

    To prevent users walking the memcached keys, Add "-X".

    Partial-Bug: #1738835

    Change-Id: I363c8faefcb4ce5153030e36498a7a7961520b01

Changed in tripleo:
milestone: queens-rc1 → rocky-1
Changed in tripleo:
milestone: rocky-1 → rocky-2
Changed in tripleo:
milestone: rocky-2 → rocky-3

Change abandoned by Emilien Macchi (<email address hidden>) on branch: master
Review: https://review.openstack.org/538987
Reason: The gate is having serious troubles with docker.io, we need to abandon this patch so it leaves the gate and when it's stable again I will restore this patch. Please do not restore or do anything, I'll take care of it as soon as things work again.

Reviewed: https://review.openstack.org/538987
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=317ed3194e8d30c7701a6793e81ba1f76d1e0b12
Submitter: Zuul
Branch: master

commit 317ed3194e8d30c7701a6793e81ba1f76d1e0b12
Author: Derek Higgins <email address hidden>
Date: Tue Dec 12 14:59:37 2017 +0000

    Disable memcached's cachedump

    To prevent users walking the memcached keys, Add "-X"
    to memcached in both containerized and puppet memcached
    overcloud services.

    Change-Id: I50eefdbdf7a7911f2ba6a7f3b4e739b8e67a7c1c
    Partial-Bug: #1738835

Changed in tripleo:
milestone: rocky-3 → rocky-rc1
Changed in tripleo:
milestone: rocky-rc1 → stein-1
Changed in tripleo:
milestone: stein-1 → stein-2
Changed in tripleo:
milestone: stein-2 → stein-3
Changed in tripleo:
status: In Progress → Won't Fix
status: Won't Fix → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers