Sensitive information leaked in mistral logs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.utils |
Fix Released
|
Critical
|
Dougal Matthews | ||
tripleo |
Fix Released
|
Critical
|
Dougal Matthews |
Bug Description
Hi,
We discovered that all the data from the TripleO heat stack (user provided and generated passwords, certificates, ssh keys) are available in the mistral logs on the undercloud, in clear text.
We are running TripleO Rocky.
Truncated output:
2019-10-30 07:16:10.083 1 INFO mistral.
We don't have custom settings or modifications on the undercloud, and we use the containers from dockerhub.
From what I understand this is the normal mistral behaviour, but this type of information should not be logged at all.
Did we do something wrong or is it an actual security problem?
I reported the bug on TripleO because we use mistral in the undercloud context only, feel free to change the target project.
Let me know if you need more information.
Changed in tripleo: | |
assignee: | nobody → Dougal Matthews (d0ugal) |
information type: | Private Security → Public Security |
Changed in oslo.utils: | |
status: | New → Triaged |
importance: | Undecided → Critical |
Changed in oslo.utils: | |
assignee: | nobody → Dougal Matthews (d0ugal) |
Changed in oslo.utils: | |
status: | Triaged → Fix Released |
Changed in tripleo: | |
status: | Triaged → Fix Released |
tags: | added: queens-backport-potential |
I've asked Dougal, our Mistral expert to take a look asap.