replication_slave user and passwords exposed in logging

Bug #1664723 reported by Trevor McCasland
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack DBaaS (Trove)
In Progress
Undecided
Trevor McCasland
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

Currently the passwords and usernames for trove's replciation_user in pxc and percona configuration options are exposed in the logger.

Mysql already has secret=True for their configuration options.

This patch extends that to all of the other database configuration
options using oslo.config.cfg.Opt option secret [1].

See output below for exact logs:

tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.628 DEBUG oslo_service.service [-] percona.replication_password = NETOU7897NNLOU from (pid=684) log_opt_values /usr/local/lib/python2.7/dist-packages/oslo_config/cfg.py:2744

tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.628 DEBUG oslo_service.service [-] percona.replication_user = slave_user from (pid=684) log_opt_values /usr/local/lib/python2.7/dist-packages/oslo_config/cfg.py:2744
tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.636 DEBUG oslo_service.service [-] pxc.replication_user = slave_user from (pid=684) log_opt_values /usr/local/lib/python2.7/dist-packages/oslo_config/cfg.py:2744

References
[1] http://docs.openstack.org/developer/oslo.config/cfg.html

Tags: security
Revision history for this message
Trevor McCasland (twm2016) wrote :
Revision history for this message
Trevor McCasland (twm2016) wrote :

Attaching plain text version

Revision history for this message
Trevor McCasland (twm2016) wrote :

^disregard text version above. Attached here is the correctly formatted plain text version.

Revision history for this message
Jeremy Stanley (fungi) wrote :

The examples only show this happening at DEBUG log level. Does it happen at any non-DEBUG levels as well? Otherwise this is a class B3 report (A vulnerability in experimental or debugging features not intended for production use) and so would not warrant an advisory nor embargo: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Changed in ossa:
status: New → Incomplete
Revision history for this message
Trevor McCasland (twm2016) wrote :

As far as I know, DEBUG level is the only level this occurs at. The datastores that are related to the logging reported are experimental as well.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Thanks, Trevor!

If there are no objections from trove-coresec reviewers, I'll switch this to public and triage it as a hardening opportunity in the next couple days.

Changed in trove:
assignee: nobody → Trevor McCasland (twm2016)
Revision history for this message
Jeremy Stanley (fungi) wrote :

A little longer than I intended to wait for feedback, but it's been over a month with no objections so I'm triaging as a security hardening opportunity now.

information type: Private Security → Public
Changed in ossa:
status: Incomplete → Won't Fix
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Agreed on class B3, switching this to public.

Jeremy Stanley (fungi)
tags: added: security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to trove (master)

Fix proposed to branch: master
Review: https://review.openstack.org/454204

Changed in trove:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on trove (master)

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/454205

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers