From 1662558 at bugs.launchpad.net Fri Mar 2 10:43:18 2018 From: 1662558 at bugs.launchpad.net (Eric Harney) Date: Fri, 02 Mar 2018 10:43:18 -0000 Subject: [Openstack-security] [Bug 1662558] Re: Nexenta disabling certificate verification References: <20170207154648.30362.815.malonedeb@gac.canonical.com> Message-ID: <151998740017.16693.5313859105993054337.launchpad@soybean.canonical.com> ** Changed in: cinder Status: New => Confirmed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1662558 Title: Nexenta disabling certificate verification Status in Cinder: Confirmed Bug description: Nexenta is making reqeust calls with verify=False which disables SSL certificate checks in the following file: cinder/volume/drivers/nexenta/ns5/jsonrpc.py As suggested in this patch set (https://review.openstack.org/#/c/426385/), this bug is being opened in order to either fix the checks or add comments in the driver explaining why this is safe. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1662558/+subscriptions From fungi at yuggoth.org Fri Mar 2 15:05:56 2018 From: fungi at yuggoth.org (Jeremy Stanley) Date: Fri, 02 Mar 2018 15:05:56 -0000 Subject: [Openstack-security] [Bug 1749326] Re: Exploitable services exposed on community test nodes References: <151856918155.29609.17973703058565700322.malonedeb@chaenomeles.canonical.com> Message-ID: <152000315622.20784.3559220500436751065.malone@chaenomeles.canonical.com> Any update on the state of this? It's really pretty urgent. An example of _why_ it's a problem: http://www.openwall.com/lists/oss- security/2018/03/02/1 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1749326 Title: Exploitable services exposed on community test nodes Status in kolla-ansible: Confirmed Bug description: One of the donor service providers for the upstream OpenStack Infrastructure CI pool has notified us that their security team's periodic vulnerability scans have been identifying systems at random within our environment as running open memcached servers. Job correlation from these reports indicates each was running one of the following: kolla-ansible-oraclelinux-binary kolla-ansible-oraclelinux-source kolla-ansible-oraclelinux-source-ceph Please adjust the configuration of your job framework to prevent these services from being exposed to the Internet (through iptables ingress filters, service ACLs, configuring them to not listen on globally- routable interfaces, whatever works). Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/kolla-ansible/+bug/1749326/+subscriptions From fungi at yuggoth.org Mon Mar 5 21:07:57 2018 From: fungi at yuggoth.org (Jeremy Stanley) Date: Mon, 05 Mar 2018 21:07:57 -0000 Subject: [Openstack-security] [Bug 1750074] Re: Cinder logs rabbitmq password on connection log References: <151882033265.13602.7690410348638039764.malonedeb@gac.canonical.com> Message-ID: <152028407734.7827.15324184562785073271.malone@wampee.canonical.com> I'm marking the advisory task won't fix and triaging this as a potential security hardening opportunity. In the past we've considered information leaking in DEBUG level logs to fit the B3 classification (a vulnerability in experimental or debugging features not intended for production use) in our report taxonomy: https://security.openstack.org /vmt-process.html#incident-report-taxonomy ** Information type changed from Public Security to Public ** Tags added: security ** Changed in: ossa Status: New => Won't Fix -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750074 Title: Cinder logs rabbitmq password on connection log Status in Cinder: Fix Released Status in Manila: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Cinder may log rabbitmq password on connection when DEBUG is on. Example on cinder-scheduler.log file after enabling DEBUG: (Password has been replaced with XXX) 2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd- 14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url : rabbit://guest:XXX at 10.10.10.1:5672,guest:XXX at 10.10.10.2:5672,guest:XXX at 10.10.10.3:5672 wait /usr/lib/python2.7/site-packages/cinder/service.py:611 In a production environment, this is pretty bad. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1750074/+subscriptions From 1750074 at bugs.launchpad.net Tue Mar 6 09:38:54 2018 From: 1750074 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 06 Mar 2018 09:38:54 -0000 Subject: [Openstack-security] [Bug 1750074] Related fix proposed to manila (stable/pike) References: <151882033265.13602.7690410348638039764.malonedeb@gac.canonical.com> Message-ID: <152032913458.3734.11975639153088036382.malone@soybean.canonical.com> Related fix proposed to branch: stable/pike Review: https://review.openstack.org/549989 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750074 Title: Cinder logs rabbitmq password on connection log Status in Cinder: Fix Released Status in Manila: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Cinder may log rabbitmq password on connection when DEBUG is on. Example on cinder-scheduler.log file after enabling DEBUG: (Password has been replaced with XXX) 2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd- 14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url : rabbit://guest:XXX at 10.10.10.1:5672,guest:XXX at 10.10.10.2:5672,guest:XXX at 10.10.10.3:5672 wait /usr/lib/python2.7/site-packages/cinder/service.py:611 In a production environment, this is pretty bad. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1750074/+subscriptions From 1750074 at bugs.launchpad.net Tue Mar 6 09:39:25 2018 From: 1750074 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 06 Mar 2018 09:39:25 -0000 Subject: [Openstack-security] [Bug 1750074] Related fix proposed to manila (stable/queens) References: <151882033265.13602.7690410348638039764.malonedeb@gac.canonical.com> Message-ID: <152032916558.7246.3742462996610205804.malone@gac.canonical.com> Related fix proposed to branch: stable/queens Review: https://review.openstack.org/549990 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750074 Title: Cinder logs rabbitmq password on connection log Status in Cinder: Fix Released Status in Manila: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Cinder may log rabbitmq password on connection when DEBUG is on. Example on cinder-scheduler.log file after enabling DEBUG: (Password has been replaced with XXX) 2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd- 14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url : rabbit://guest:XXX at 10.10.10.1:5672,guest:XXX at 10.10.10.2:5672,guest:XXX at 10.10.10.3:5672 wait /usr/lib/python2.7/site-packages/cinder/service.py:611 In a production environment, this is pretty bad. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1750074/+subscriptions From 1749326 at bugs.launchpad.net Wed Mar 7 04:24:37 2018 From: 1749326 at bugs.launchpad.net (Jeffrey Zhang) Date: Wed, 07 Mar 2018 04:24:37 -0000 Subject: [Openstack-security] [Bug 1749326] Re: Exploitable services exposed on community test nodes References: <151856918155.29609.17973703058565700322.malonedeb@chaenomeles.canonical.com> Message-ID: <152039667713.7121.12396001829697811665.malone@gac.canonical.com> we are trying to use iptables to prevent other IP to connect the memcached port. I think in devstack, it has the same issue, how it avoid the issue? -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1749326 Title: Exploitable services exposed on community test nodes Status in kolla-ansible: Confirmed Bug description: One of the donor service providers for the upstream OpenStack Infrastructure CI pool has notified us that their security team's periodic vulnerability scans have been identifying systems at random within our environment as running open memcached servers. Job correlation from these reports indicates each was running one of the following: kolla-ansible-oraclelinux-binary kolla-ansible-oraclelinux-source kolla-ansible-oraclelinux-source-ceph Please adjust the configuration of your job framework to prevent these services from being exposed to the Internet (through iptables ingress filters, service ACLs, configuring them to not listen on globally- routable interfaces, whatever works). Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/kolla-ansible/+bug/1749326/+subscriptions From 1749326 at bugs.launchpad.net Wed Mar 7 04:28:49 2018 From: 1749326 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 07 Mar 2018 04:28:49 -0000 Subject: [Openstack-security] [Bug 1749326] Related fix proposed to kolla-ansible (master) References: <151856918155.29609.17973703058565700322.malonedeb@chaenomeles.canonical.com> Message-ID: <152039692965.3997.8545820171275223756.malone@soybean.canonical.com> Related fix proposed to branch: master Review: https://review.openstack.org/550325 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1749326 Title: Exploitable services exposed on community test nodes Status in kolla-ansible: Confirmed Bug description: One of the donor service providers for the upstream OpenStack Infrastructure CI pool has notified us that their security team's periodic vulnerability scans have been identifying systems at random within our environment as running open memcached servers. Job correlation from these reports indicates each was running one of the following: kolla-ansible-oraclelinux-binary kolla-ansible-oraclelinux-source kolla-ansible-oraclelinux-source-ceph Please adjust the configuration of your job framework to prevent these services from being exposed to the Internet (through iptables ingress filters, service ACLs, configuring them to not listen on globally- routable interfaces, whatever works). Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/kolla-ansible/+bug/1749326/+subscriptions From fungi at yuggoth.org Wed Mar 7 12:38:33 2018 From: fungi at yuggoth.org (Jeremy Stanley) Date: Wed, 07 Mar 2018 12:38:33 -0000 Subject: [Openstack-security] [Bug 1749326] Re: Exploitable services exposed on community test nodes References: <151856918155.29609.17973703058565700322.malonedeb@chaenomeles.canonical.com> Message-ID: <152042631354.7787.17308947906086168694.malone@wampee.canonical.com> We preinstall restrictive iptables rulesets on our images when building them via http://git.openstack.org/cgit/openstack-infra/project- config/tree/nodepool/elements/nodepool-base/install.d/20-iptables and devstack configures keystone's memcached_servers setting to localhost:11211 so that it traverses the loopback interface rather than an externally-reachable address. -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1749326 Title: Exploitable services exposed on community test nodes Status in kolla-ansible: Confirmed Bug description: One of the donor service providers for the upstream OpenStack Infrastructure CI pool has notified us that their security team's periodic vulnerability scans have been identifying systems at random within our environment as running open memcached servers. Job correlation from these reports indicates each was running one of the following: kolla-ansible-oraclelinux-binary kolla-ansible-oraclelinux-source kolla-ansible-oraclelinux-source-ceph Please adjust the configuration of your job framework to prevent these services from being exposed to the Internet (through iptables ingress filters, service ACLs, configuring them to not listen on globally- routable interfaces, whatever works). Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/kolla-ansible/+bug/1749326/+subscriptions From 1749326 at bugs.launchpad.net Wed Mar 7 17:14:15 2018 From: 1749326 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 07 Mar 2018 17:14:15 -0000 Subject: [Openstack-security] [Bug 1749326] Change abandoned on kolla-ansible (master) References: <151856918155.29609.17973703058565700322.malonedeb@chaenomeles.canonical.com> Message-ID: <152044285590.7164.456593143008348280.malone@gac.canonical.com> Change abandoned by Jeffrey Zhang (jeffrey.zhang at 99cloud.net) on branch: master Review: https://review.openstack.org/550325 Reason: check https://review.openstack.org/#/c/549715/1 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1749326 Title: Exploitable services exposed on community test nodes Status in kolla-ansible: Confirmed Bug description: One of the donor service providers for the upstream OpenStack Infrastructure CI pool has notified us that their security team's periodic vulnerability scans have been identifying systems at random within our environment as running open memcached servers. Job correlation from these reports indicates each was running one of the following: kolla-ansible-oraclelinux-binary kolla-ansible-oraclelinux-source kolla-ansible-oraclelinux-source-ceph Please adjust the configuration of your job framework to prevent these services from being exposed to the Internet (through iptables ingress filters, service ACLs, configuring them to not listen on globally- routable interfaces, whatever works). Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/kolla-ansible/+bug/1749326/+subscriptions From fungi at yuggoth.org Wed Mar 7 18:36:56 2018 From: fungi at yuggoth.org (Jeremy Stanley) Date: Wed, 07 Mar 2018 18:36:56 -0000 Subject: [Openstack-security] [Bug 1749326] Re: Exploitable services exposed on community test nodes References: <151856918155.29609.17973703058565700322.malonedeb@chaenomeles.canonical.com> Message-ID: <152044781690.6963.1834271732289924177.malone@wampee.canonical.com> It's worth noting that all the test nodes on which jobs run boot up with the rules I linked above already applied. If memcached or other services are being exposed on reachable interfaces of the node then it can only be because you're altering or tearing down the existing iptables ruleset. -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1749326 Title: Exploitable services exposed on community test nodes Status in kolla-ansible: Confirmed Bug description: One of the donor service providers for the upstream OpenStack Infrastructure CI pool has notified us that their security team's periodic vulnerability scans have been identifying systems at random within our environment as running open memcached servers. Job correlation from these reports indicates each was running one of the following: kolla-ansible-oraclelinux-binary kolla-ansible-oraclelinux-source kolla-ansible-oraclelinux-source-ceph Please adjust the configuration of your job framework to prevent these services from being exposed to the Internet (through iptables ingress filters, service ACLs, configuring them to not listen on globally- routable interfaces, whatever works). Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/kolla-ansible/+bug/1749326/+subscriptions From 1750074 at bugs.launchpad.net Fri Mar 9 16:25:10 2018 From: 1750074 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 09 Mar 2018 16:25:10 -0000 Subject: [Openstack-security] [Bug 1750074] Re: Cinder logs rabbitmq password on connection log References: <151882033265.13602.7690410348638039764.malonedeb@gac.canonical.com> Message-ID: <152061271040.30419.17361112834010686565.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/548891 Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=9ba486370b00e131086162265c4a0e7dd85bf8ec Submitter: Zuul Branch: stable/ocata commit 9ba486370b00e131086162265c4a0e7dd85bf8ec Author: Eric Harney Date: Wed Feb 21 14:27:11 2018 -0500 Log config options with oslo.config This removes some custom Cinder code which handles filtering secret config options in a flaky way. Filtering will now be based on the "secret=True" option flag. Related-Bug: #1750074 Change-Id: I1c404b057d1471c85bd7eaf5c096f5912293460a (cherry picked from commit 7d278042c5280e40d5ed68f504f45ef023f05e18) (cherry picked from commit 4bc52eb7ba35da9005c7d28c341b0ce408216572) ** Tags added: in-stable-ocata -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750074 Title: Cinder logs rabbitmq password on connection log Status in Cinder: Fix Released Status in Manila: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Cinder may log rabbitmq password on connection when DEBUG is on. Example on cinder-scheduler.log file after enabling DEBUG: (Password has been replaced with XXX) 2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd- 14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url : rabbit://guest:XXX at 10.10.10.1:5672,guest:XXX at 10.10.10.2:5672,guest:XXX at 10.10.10.3:5672 wait /usr/lib/python2.7/site-packages/cinder/service.py:611 In a production environment, this is pretty bad. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1750074/+subscriptions From 1749326 at bugs.launchpad.net Sun Mar 11 03:44:38 2018 From: 1749326 at bugs.launchpad.net (OpenStack Infra) Date: Sun, 11 Mar 2018 03:44:38 -0000 Subject: [Openstack-security] [Bug 1749326] Re: Exploitable services exposed on community test nodes References: <151856918155.29609.17973703058565700322.malonedeb@chaenomeles.canonical.com> Message-ID: <152073987863.14710.15378107888453968657.malone@chaenomeles.canonical.com> Reviewed: https://review.openstack.org/550821 Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=404d4d0a50f292b1fd6e916cf80813b260621840 Submitter: Zuul Branch: master commit 404d4d0a50f292b1fd6e916cf80813b260621840 Author: Paul Bourke Date: Thu Mar 8 12:55:05 2018 +0000 Use zuul firewall rules in gate Till now we've been flusing iptables in the gates to allow cross node communication in the multi node ceph jobs. This raised security concerns, in particular it exposed memcached to the external net. This patch uses the infra provided role 'multi-node-firewall' in order to correctly configure iptables. Thanks to Jeremy Stanley and Jeffrey for help with this. Closes-Bug: #1749326 Change-Id: Iafaf1cf1d9b0227b0f869969d0bd52fbde3791a0 ** Changed in: kolla-ansible Status: Confirmed => Fix Released -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1749326 Title: Exploitable services exposed on community test nodes Status in kolla-ansible: Fix Released Bug description: One of the donor service providers for the upstream OpenStack Infrastructure CI pool has notified us that their security team's periodic vulnerability scans have been identifying systems at random within our environment as running open memcached servers. Job correlation from these reports indicates each was running one of the following: kolla-ansible-oraclelinux-binary kolla-ansible-oraclelinux-source kolla-ansible-oraclelinux-source-ceph Please adjust the configuration of your job framework to prevent these services from being exposed to the Internet (through iptables ingress filters, service ACLs, configuring them to not listen on globally- routable interfaces, whatever works). Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/kolla-ansible/+bug/1749326/+subscriptions From 1750074 at bugs.launchpad.net Tue Mar 13 14:27:54 2018 From: 1750074 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 13 Mar 2018 14:27:54 -0000 Subject: [Openstack-security] [Bug 1750074] Change abandoned on cinder (stable/ocata) References: <151882033265.13602.7690410348638039764.malonedeb@gac.canonical.com> Message-ID: <152095127433.14466.9990787334207157964.malone@chaenomeles.canonical.com> Change abandoned by Eric Harney (eharney at redhat.com) on branch: stable/ocata Review: https://review.openstack.org/545620 Reason: https://review.openstack.org/#/c/548891/ -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750074 Title: Cinder logs rabbitmq password on connection log Status in Cinder: Fix Released Status in Manila: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Cinder may log rabbitmq password on connection when DEBUG is on. Example on cinder-scheduler.log file after enabling DEBUG: (Password has been replaced with XXX) 2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd- 14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url : rabbit://guest:XXX at 10.10.10.1:5672,guest:XXX at 10.10.10.2:5672,guest:XXX at 10.10.10.3:5672 wait /usr/lib/python2.7/site-packages/cinder/service.py:611 In a production environment, this is pretty bad. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1750074/+subscriptions From 1732155 at bugs.launchpad.net Tue Mar 13 17:40:21 2018 From: 1732155 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 13 Mar 2018 17:40:21 -0000 Subject: [Openstack-security] [Bug 1732155] Fix merged to cinder (master) References: <151065694305.7350.16228969126396748741.malonedeb@soybean.canonical.com> Message-ID: <152096282166.3497.138966839331480707.malone@gac.canonical.com> Reviewed: https://review.openstack.org/519618 Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=21362156125cadc0cddbffdc911d15a29c949902 Submitter: Zuul Branch: master commit 21362156125cadc0cddbffdc911d15a29c949902 Author: lijing Date: Tue Nov 14 18:59:29 2017 +0800 use defusedxml to avoid XML attack According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. Change-Id: Icdd807c8fd47ce0df3e292eef910e6e6e7610686 Partial-Bug: #1732155 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1732155 Title: bandit report: use defusedxml to avoid XML attack Status in Cinder: In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1732155/+subscriptions From 1750074 at bugs.launchpad.net Tue Mar 13 18:18:16 2018 From: 1750074 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 13 Mar 2018 18:18:16 -0000 Subject: [Openstack-security] [Bug 1750074] Related fix merged to manila (master) References: <151882033265.13602.7690410348638039764.malonedeb@gac.canonical.com> Message-ID: <152096509615.6938.15154799424124848724.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/546786 Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=3d7909deb21a1f0be4cd6eca13dc9e8d070f71e2 Submitter: Zuul Branch: master commit 3d7909deb21a1f0be4cd6eca13dc9e8d070f71e2 Author: Dustin Schoenbrun Date: Wed Feb 21 17:02:31 2018 -0500 Log config options with oslo.config This removes some custom code inherited from Cinder which was handling the output of secret options in a bad way. This patch utilizes Oslo's existing utilities to output the Manila configuration options securely. Filtering will be done with the "secret=True" option flag. Major thanks to Eric Harney for introducing this fix to Cinder. Change-Id: I894e011680661c0b73b9592f70a6457e403f18c6 Related-Bug: #1750074 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750074 Title: Cinder logs rabbitmq password on connection log Status in Cinder: Fix Released Status in Manila: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Cinder may log rabbitmq password on connection when DEBUG is on. Example on cinder-scheduler.log file after enabling DEBUG: (Password has been replaced with XXX) 2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd- 14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url : rabbit://guest:XXX at 10.10.10.1:5672,guest:XXX at 10.10.10.2:5672,guest:XXX at 10.10.10.3:5672 wait /usr/lib/python2.7/site-packages/cinder/service.py:611 In a production environment, this is pretty bad. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1750074/+subscriptions From 1188189 at bugs.launchpad.net Wed Mar 21 16:40:37 2018 From: 1188189 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 21 Mar 2018 16:40:37 -0000 Subject: [Openstack-security] [Bug 1188189] Fix merged to cinder (master) References: <20130606134102.14097.28030.malonedeb@soybean.canonical.com> Message-ID: <152165043728.1762.189078275820826741.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/538237 Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=431b4284bf12dfd8f97af95a9b96356105e08404 Submitter: Zuul Branch: master commit 431b4284bf12dfd8f97af95a9b96356105e08404 Author: Ibadulla Khan Date: Fri Jan 26 19:08:35 2018 +0530 QNAP Drivers - Move from httplib to requests Use driver_ssl_cert_verify under backend section to enable or disable SSL verfication. NOTE: IPv6 isn't supported by QNAP driver. Change-Id: Iba886fd0bd401052a444eb7a4427607e693d7c81 Closes-Bug: 1658766 Partial-Bug: 1188189 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1188189 Title: Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection) Status in Cinder: In Progress Status in OpenStack Identity (keystone): Fix Released Status in neutron: Fix Released Status in oslo.vmware: Fix Released Status in OpenStack Security Advisory: Won't Fix Status in OpenStack Security Notes: Fix Released Status in python-keystoneclient: Fix Released Status in OpenStack Object Storage (swift): Invalid Bug description: Grant Murphy from Red Hat reported usage of httplib.HTTPSConnection objects. In Python 2.x those do not perform CA checks so client connections are vulnerable to MiM attacks. """ The following files use httplib.HTTPSConnection : keystone/middleware/s3_token.py keystone/middleware/ec2_token.py keystone/common/bufferedhttp.py vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py AFAICT HTTPSConnection does not validate server certificates and should be avoided. This is fixed in Python 3, however in 2.X no validation occurs. I suspect this is also applicable to most OpenStack modules that make HTTPS client calls. Similar problems were found in ovirt: https://bugzilla.redhat.com/show_bug.cgi?id=851672 (CVE-2012-3533) With solutions for ovirt: http://gerrit.ovirt.org/#/c/7209/ http://gerrit.ovirt.org/#/c/7249/ """ To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1188189/+subscriptions From fungi at yuggoth.org Thu Mar 22 15:39:34 2018 From: fungi at yuggoth.org (Jeremy Stanley) Date: Thu, 22 Mar 2018 15:39:34 -0000 Subject: [Openstack-security] [Bug 1757300] Re: RandomString may have less entropy than expected References: <152159262637.18509.15861333391173783708.malonedeb@chaenomeles.canonical.com> Message-ID: <152173317492.26288.6974123575182082229.malone@gac.canonical.com> Thanks. In that case I'll just flag it as a security hardening opportunity. We can revisit that and issue an advisory if new issues come to light suggesting it's more serious than we think. ** Changed in: ossa Status: Incomplete => Won't Fix ** Tags added: security ** Information type changed from Public Security to Public -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1757300 Title: RandomString may have less entropy than expected Status in OpenStack Heat: In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: When generating a random string, once we have selected from the various required pools, we continue by selecting a pool at random and then selecting a character from that pool at random. This does not take into account the differing sizes of the available pools, nor the fact that the same character could appear in multiple pools. This results in a non-uniform probability distribution of characters. For example, in the following resource: type: OS::Heat::RandomString properties: length: 66 character_classes: - class: lettersdigits character_sequences: - sequence: "*$" one might reasonably expect to find an average of 3 '*' or '$' characters in the output, but in fact there would be an average of 33. Since users mostly make use of this feature to generate default passwords for services they are deploying, this would result in the generated passwords having slightly less entropy than expected. Pathological cases where the entropy is massively reduced (like the one above - where it is only 229.5 bits vs. the expected 391 bits) are possible, although it's probably unlikely that users would encounter them by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/heat/+bug/1757300/+subscriptions From 1757300 at bugs.launchpad.net Fri Mar 23 13:23:40 2018 From: 1757300 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 23 Mar 2018 13:23:40 -0000 Subject: [Openstack-security] [Bug 1757300] Re: RandomString may have less entropy than expected References: <152159262637.18509.15861333391173783708.malonedeb@chaenomeles.canonical.com> Message-ID: <152181142014.22734.16767395688930280491.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/554745 Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=6e16c051ba9c2fc409c82fda19467d9ee1aaf484 Submitter: Zuul Branch: master commit 6e16c051ba9c2fc409c82fda19467d9ee1aaf484 Author: Zane Bitter Date: Tue Mar 20 20:48:38 2018 -0400 Fix entropy problems with OS::Random::String When generating a random string, once we had selected from the various required pools, we continued by selecting a pool at random and then selecting a character from that pool at random. This did not take into account the differing sizes of the available pools, nor the fact that the same character could appear in multiple pools, which resulted in a non-uniform probability distribution of characters. Since users mostly make use of this feature to generate default passwords for services they are deploying, this would result in the generated passwords having slightly less entropy than expected (and pathological cases were possible). Rectify this by always selecting non-constrained characters from a single combined pool, and by ensuring that each character appears only once in any pool we're selecting from. Since we also want to use this method to generate passwords for OpenStack Users, the new implementation is in a separate module in heat.common rather than mixed in with the resource's logic. Also, use a StringIO object to collect the characters rather than repeatedly appending to a string. Change-Id: Ia7b63e72c1e3c0649290caf4fea8a32f7f89560b Closes-Bug: #1757300 Related-Bug: #1666129 Related-Bug: #1444429 ** Changed in: heat Status: In Progress => Fix Released -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1757300 Title: RandomString may have less entropy than expected Status in OpenStack Heat: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: When generating a random string, once we have selected from the various required pools, we continue by selecting a pool at random and then selecting a character from that pool at random. This does not take into account the differing sizes of the available pools, nor the fact that the same character could appear in multiple pools. This results in a non-uniform probability distribution of characters. For example, in the following resource: type: OS::Heat::RandomString properties: length: 66 character_classes: - class: lettersdigits character_sequences: - sequence: "*$" one might reasonably expect to find an average of 3 '*' or '$' characters in the output, but in fact there would be an average of 33. Since users mostly make use of this feature to generate default passwords for services they are deploying, this would result in the generated passwords having slightly less entropy than expected. Pathological cases where the entropy is massively reduced (like the one above - where it is only 229.5 bits vs. the expected 391 bits) are possible, although it's probably unlikely that users would encounter them by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/heat/+bug/1757300/+subscriptions From 1757300 at bugs.launchpad.net Fri Mar 23 16:41:55 2018 From: 1757300 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 23 Mar 2018 16:41:55 -0000 Subject: [Openstack-security] [Bug 1757300] Fix proposed to heat (stable/queens) References: <152159262637.18509.15861333391173783708.malonedeb@chaenomeles.canonical.com> Message-ID: <152182331569.18375.7003553703657329393.malone@chaenomeles.canonical.com> Fix proposed to branch: stable/queens Review: https://review.openstack.org/555859 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1757300 Title: RandomString may have less entropy than expected Status in OpenStack Heat: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: When generating a random string, once we have selected from the various required pools, we continue by selecting a pool at random and then selecting a character from that pool at random. This does not take into account the differing sizes of the available pools, nor the fact that the same character could appear in multiple pools. This results in a non-uniform probability distribution of characters. For example, in the following resource: type: OS::Heat::RandomString properties: length: 66 character_classes: - class: lettersdigits character_sequences: - sequence: "*$" one might reasonably expect to find an average of 3 '*' or '$' characters in the output, but in fact there would be an average of 33. Since users mostly make use of this feature to generate default passwords for services they are deploying, this would result in the generated passwords having slightly less entropy than expected. Pathological cases where the entropy is massively reduced (like the one above - where it is only 229.5 bits vs. the expected 391 bits) are possible, although it's probably unlikely that users would encounter them by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/heat/+bug/1757300/+subscriptions From 1757300 at bugs.launchpad.net Fri Mar 23 19:22:08 2018 From: 1757300 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 23 Mar 2018 19:22:08 -0000 Subject: [Openstack-security] [Bug 1757300] Fix proposed to heat (stable/pike) References: <152159262637.18509.15861333391173783708.malonedeb@chaenomeles.canonical.com> Message-ID: <152183292812.22077.13192201661722962088.malone@soybean.canonical.com> Fix proposed to branch: stable/pike Review: https://review.openstack.org/555905 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1757300 Title: RandomString may have less entropy than expected Status in OpenStack Heat: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: When generating a random string, once we have selected from the various required pools, we continue by selecting a pool at random and then selecting a character from that pool at random. This does not take into account the differing sizes of the available pools, nor the fact that the same character could appear in multiple pools. This results in a non-uniform probability distribution of characters. For example, in the following resource: type: OS::Heat::RandomString properties: length: 66 character_classes: - class: lettersdigits character_sequences: - sequence: "*$" one might reasonably expect to find an average of 3 '*' or '$' characters in the output, but in fact there would be an average of 33. Since users mostly make use of this feature to generate default passwords for services they are deploying, this would result in the generated passwords having slightly less entropy than expected. Pathological cases where the entropy is massively reduced (like the one above - where it is only 229.5 bits vs. the expected 391 bits) are possible, although it's probably unlikely that users would encounter them by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/heat/+bug/1757300/+subscriptions From 1750074 at bugs.launchpad.net Sun Mar 25 04:30:46 2018 From: 1750074 at bugs.launchpad.net (OpenStack Infra) Date: Sun, 25 Mar 2018 04:30:46 -0000 Subject: [Openstack-security] [Bug 1750074] Related fix merged to manila (stable/queens) References: <151882033265.13602.7690410348638039764.malonedeb@gac.canonical.com> Message-ID: <152195224610.18795.6326035664973848188.malone@chaenomeles.canonical.com> Reviewed: https://review.openstack.org/549990 Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=1949b403e9feb134d0fb2b9d65271292277351ee Submitter: Zuul Branch: stable/queens commit 1949b403e9feb134d0fb2b9d65271292277351ee Author: Dustin Schoenbrun Date: Wed Feb 21 17:02:31 2018 -0500 Log config options with oslo.config This removes some custom code inherited from Cinder which was handling the output of secret options in a bad way. This patch utilizes Oslo's existing utilities to output the Manila configuration options securely. Filtering will be done with the "secret=True" option flag. Major thanks to Eric Harney for introducing this fix to Cinder. Change-Id: I894e011680661c0b73b9592f70a6457e403f18c6 Related-Bug: #1750074 (cherry picked from commit 3d7909deb21a1f0be4cd6eca13dc9e8d070f71e2) -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750074 Title: Cinder logs rabbitmq password on connection log Status in Cinder: Fix Released Status in Manila: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Cinder may log rabbitmq password on connection when DEBUG is on. Example on cinder-scheduler.log file after enabling DEBUG: (Password has been replaced with XXX) 2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd- 14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url : rabbit://guest:XXX at 10.10.10.1:5672,guest:XXX at 10.10.10.2:5672,guest:XXX at 10.10.10.3:5672 wait /usr/lib/python2.7/site-packages/cinder/service.py:611 In a production environment, this is pretty bad. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1750074/+subscriptions From 1611171 at bugs.launchpad.net Sun Mar 25 05:19:23 2018 From: 1611171 at bugs.launchpad.net (OpenStack Infra) Date: Sun, 25 Mar 2018 05:19:23 -0000 Subject: [Openstack-security] [Bug 1611171] Re: re-runs self via sudo References: <20160809015520.22289.87995.malonedeb@soybean.canonical.com> Message-ID: <152195516312.18545.3078248538197046026.malone@chaenomeles.canonical.com> Reviewed: https://review.openstack.org/371920 Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=0d4438368fd769a0e6b83bfdaf1cb980f888c504 Submitter: Zuul Branch: master commit 0d4438368fd769a0e6b83bfdaf1cb980f888c504 Author: Iswarya_Vakati Date: Sat Sep 17 17:07:16 2016 +0530 Don't attempt to escalate manila-manage privileges Remove code which allowed manila-manage to attempt to escalate privileges so that configuration files can be read by users who normally wouldn't have access, but do have sudo access. Change-Id: Ie3bf9a81ee8d723cd8618643fa9d7382462aae42 Closes-Bug:#1611171 ** Changed in: manila Status: In Progress => Fix Released -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1611171 Title: re-runs self via sudo Status in Cinder: Fix Released Status in Designate: Fix Released Status in ec2-api: Fix Released Status in gce-api: Fix Released Status in Manila: Fix Released Status in masakari: Fix Released Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) newton series: Fix Committed Status in OpenStack Security Advisory: Won't Fix Status in Rally: Fix Released Bug description: Hello, I'm looking through Designate source code to determine if is appropriate to include in Ubuntu Main. This isn't a full security audit. This looks like trouble: ./designate/cmd/manage.py def main(): CONF.register_cli_opt(category_opt) try: utils.read_config('designate', sys.argv) logging.setup(CONF, 'designate') except cfg.ConfigFilesNotFoundError: cfgfile = CONF.config_file[-1] if CONF.config_file else None if cfgfile and not os.access(cfgfile, os.R_OK): st = os.stat(cfgfile) print(_("Could not read %s. Re-running with sudo") % cfgfile) try: os.execvp('sudo', ['sudo', '-u', '#%s' % st.st_uid] + sys.argv) except Exception: print(_('sudo failed, continuing as if nothing happened')) print(_('Please re-run designate-manage as root.')) sys.exit(2) This is an interesting decision -- if the configuration file is _not_ readable by the user in question, give the executing user complete privileges of the user that owns the unreadable file. I'm not a fan of hiding privilege escalation / modifications in programs -- if a user had recently used sudo and thus had the authentication token already stored for their terminal, this 'hidden' use of sudo may be unexpected and unwelcome, especially since it appears that argv from the first call leaks through to the sudo call. Is this intentional OpenStack style? Or unexpected for you guys too? (Feel free to make this public at your convenience.) Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1611171/+subscriptions From 1750074 at bugs.launchpad.net Sun Mar 25 18:10:26 2018 From: 1750074 at bugs.launchpad.net (OpenStack Infra) Date: Sun, 25 Mar 2018 18:10:26 -0000 Subject: [Openstack-security] [Bug 1750074] Related fix merged to manila (stable/pike) References: <151882033265.13602.7690410348638039764.malonedeb@gac.canonical.com> Message-ID: <152200142695.25611.17179955522399507375.malone@gac.canonical.com> Reviewed: https://review.openstack.org/549989 Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=19aeba1f63f4e864eebda61bf16a078055c79cb0 Submitter: Zuul Branch: stable/pike commit 19aeba1f63f4e864eebda61bf16a078055c79cb0 Author: Dustin Schoenbrun Date: Wed Feb 21 17:02:31 2018 -0500 Log config options with oslo.config This removes some custom code inherited from Cinder which was handling the output of secret options in a bad way. This patch utilizes Oslo's existing utilities to output the Manila configuration options securely. Filtering will be done with the "secret=True" option flag. Major thanks to Eric Harney for introducing this fix to Cinder. Change-Id: I894e011680661c0b73b9592f70a6457e403f18c6 Related-Bug: #1750074 (cherry picked from commit 3d7909deb21a1f0be4cd6eca13dc9e8d070f71e2) (cherry picked from commit 1949b403e9feb134d0fb2b9d65271292277351ee) -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750074 Title: Cinder logs rabbitmq password on connection log Status in Cinder: Fix Released Status in Manila: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Cinder may log rabbitmq password on connection when DEBUG is on. Example on cinder-scheduler.log file after enabling DEBUG: (Password has been replaced with XXX) 2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd- 14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url : rabbit://guest:XXX at 10.10.10.1:5672,guest:XXX at 10.10.10.2:5672,guest:XXX at 10.10.10.3:5672 wait /usr/lib/python2.7/site-packages/cinder/service.py:611 In a production environment, this is pretty bad. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1750074/+subscriptions From 1750074 at bugs.launchpad.net Sun Mar 25 18:18:32 2018 From: 1750074 at bugs.launchpad.net (OpenStack Infra) Date: Sun, 25 Mar 2018 18:18:32 -0000 Subject: [Openstack-security] [Bug 1750074] Related fix proposed to manila (stable/ocata) References: <151882033265.13602.7690410348638039764.malonedeb@gac.canonical.com> Message-ID: <152200191218.19246.16110515943805784352.malone@chaenomeles.canonical.com> Related fix proposed to branch: stable/ocata Review: https://review.openstack.org/556276 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750074 Title: Cinder logs rabbitmq password on connection log Status in Cinder: Fix Released Status in Manila: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Cinder may log rabbitmq password on connection when DEBUG is on. Example on cinder-scheduler.log file after enabling DEBUG: (Password has been replaced with XXX) 2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd- 14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url : rabbit://guest:XXX at 10.10.10.1:5672,guest:XXX at 10.10.10.2:5672,guest:XXX at 10.10.10.3:5672 wait /usr/lib/python2.7/site-packages/cinder/service.py:611 In a production environment, this is pretty bad. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1750074/+subscriptions From 1750074 at bugs.launchpad.net Sun Mar 25 23:20:03 2018 From: 1750074 at bugs.launchpad.net (OpenStack Infra) Date: Sun, 25 Mar 2018 23:20:03 -0000 Subject: [Openstack-security] [Bug 1750074] Related fix merged to manila (stable/ocata) References: <151882033265.13602.7690410348638039764.malonedeb@gac.canonical.com> Message-ID: <152202000396.26239.14737520432721579138.malone@gac.canonical.com> Reviewed: https://review.openstack.org/556276 Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=4f5811de9684d2b868d5969eaba983a12679ab81 Submitter: Zuul Branch: stable/ocata commit 4f5811de9684d2b868d5969eaba983a12679ab81 Author: Dustin Schoenbrun Date: Wed Feb 21 17:02:31 2018 -0500 Log config options with oslo.config This removes some custom code inherited from Cinder which was handling the output of secret options in a bad way. This patch utilizes Oslo's existing utilities to output the Manila configuration options securely. Filtering will be done with the "secret=True" option flag. Major thanks to Eric Harney for introducing this fix to Cinder. Change-Id: I894e011680661c0b73b9592f70a6457e403f18c6 Related-Bug: #1750074 (cherry picked from commit 3d7909deb21a1f0be4cd6eca13dc9e8d070f71e2) (cherry picked from commit 1949b403e9feb134d0fb2b9d65271292277351ee) (cherry picked from commit 19aeba1f63f4e864eebda61bf16a078055c79cb0) -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750074 Title: Cinder logs rabbitmq password on connection log Status in Cinder: Fix Released Status in Manila: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Cinder may log rabbitmq password on connection when DEBUG is on. Example on cinder-scheduler.log file after enabling DEBUG: (Password has been replaced with XXX) 2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd- 14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url : rabbit://guest:XXX at 10.10.10.1:5672,guest:XXX at 10.10.10.2:5672,guest:XXX at 10.10.10.3:5672 wait /usr/lib/python2.7/site-packages/cinder/service.py:611 In a production environment, this is pretty bad. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1750074/+subscriptions From 1713783 at bugs.launchpad.net Wed Mar 28 14:08:22 2018 From: 1713783 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 28 Mar 2018 14:08:22 -0000 Subject: [Openstack-security] [Bug 1713783] Re: After failed evacuation the recovered source compute tries to delete the instance References: <150402703560.19393.11649471063519714290.malonedeb@chaenomeles.canonical.com> Message-ID: <152224610397.20654.8846951730081199869.launchpad@chaenomeles.canonical.com> ** Changed in: nova/ocata Assignee: Balazs Gibizer (balazs-gibizer) => Illes Elod (elod-illes) -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1713783 Title: After failed evacuation the recovered source compute tries to delete the instance Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) newton series: Triaged Status in OpenStack Compute (nova) ocata series: In Progress Status in OpenStack Compute (nova) pike series: Fix Committed Status in OpenStack Security Advisory: Won't Fix Bug description: Description =========== In case of a failed evacuation attempt the status of the migration is 'accepted' instead of 'failed' so when source compute is recovered the compute manager tries to delete the instance from the source host. However a secondary fault prevents deleting the allocation in placement so the actual deletion of the instance fails as well. Steps to reproduce ================== The following functional test reproduces the bug: https://review.openstack.org/#/c/498482/ What it does: initiate evacuation when no valid host is available and evacuation fails, but nova manager still tries to delete the instance. Logs:     2017-08-29 19:11:15,751 ERROR [oslo_messaging.rpc.server] Exception during message handling     NoValidHost: No valid host was found. There are not enough hosts available.     2017-08-29 19:11:16,103 INFO [nova.tests.functional.test_servers] Running periodic for compute1 (host1)     2017-08-29 19:11:16,115 INFO [nova.api.openstack.placement.requestlog] 127.0.0.1 "GET /placement/resource_providers/4e8e23ff-0c52-4cf7-8356-d9fa88536316/aggregates" status: 200 len: 18 microversion: 1.1     2017-08-29 19:11:16,120 INFO [nova.api.openstack.placement.requestlog] 127.0.0.1 "GET /placement/resource_providers/4e8e23ff-0c52-4cf7-8356-d9fa88536316/inventories" status: 200 len: 401 microversion: 1.0     2017-08-29 19:11:16,131 INFO [nova.api.openstack.placement.requestlog] 127.0.0.1 "GET /placement/resource_providers/4e8e23ff-0c52-4cf7-8356-d9fa88536316/allocations" status: 200 len: 152 microversion: 1.0     2017-08-29 19:11:16,138 INFO [nova.compute.resource_tracker] Final resource view: name=host1 phys_ram=8192MB used_ram=1024MB phys_disk=1028GB used_disk=1GB total_vcpus=10 used_vcpus=1 pci_stats=[]     2017-08-29 19:11:16,146 INFO [nova.api.openstack.placement.requestlog] 127.0.0.1 "GET /placement/resource_providers/4e8e23ff-0c52-4cf7-8356-d9fa88536316/aggregates" status: 200 len: 18 microversion: 1.1     2017-08-29 19:11:16,151 INFO [nova.api.openstack.placement.requestlog] 127.0.0.1 "GET /placement/resource_providers/4e8e23ff-0c52-4cf7-8356-d9fa88536316/inventories" status: 200 len: 401 microversion: 1.0     2017-08-29 19:11:16,152 INFO [nova.tests.functional.test_servers] Running periodic for compute2 (host2)     2017-08-29 19:11:16,163 INFO [nova.api.openstack.placement.requestlog] 127.0.0.1 "GET /placement/resource_providers/531b1ce8-def1-455d-95b3-4140665d956f/aggregates" status: 200 len: 18 microversion: 1.1     2017-08-29 19:11:16,168 INFO [nova.api.openstack.placement.requestlog] 127.0.0.1 "GET /placement/resource_providers/531b1ce8-def1-455d-95b3-4140665d956f/inventories" status: 200 len: 401 microversion: 1.0     2017-08-29 19:11:16,176 INFO [nova.api.openstack.placement.requestlog] 127.0.0.1 "GET /placement/resource_providers/531b1ce8-def1-455d-95b3-4140665d956f/allocations" status: 200 len: 54 microversion: 1.0     2017-08-29 19:11:16,184 INFO [nova.compute.resource_tracker] Final resource view: name=host2 phys_ram=8192MB used_ram=512MB phys_disk=1028GB used_disk=0GB total_vcpus=10 used_vcpus=0 pci_stats=[]     2017-08-29 19:11:16,192 INFO [nova.api.openstack.placement.requestlog] 127.0.0.1 "GET /placement/resource_providers/531b1ce8-def1-455d-95b3-4140665d956f/aggregates" status: 200 len: 18 microversion: 1.1     2017-08-29 19:11:16,197 INFO [nova.api.openstack.placement.requestlog] 127.0.0.1 "GET /placement/resource_providers/531b1ce8-def1-455d-95b3-4140665d956f/inventories" status: 200 len: 401 microversion: 1.0     2017-08-29 19:11:16,198 INFO [nova.tests.functional.test_servers] Finished with periodics     2017-08-29 19:11:16,255 INFO [nova.api.openstack.requestlog] 127.0.0.1 "GET /v2.1/6f70656e737461636b20342065766572/servers/5058200c-478e-4449-88c1-906fdd572662" status: 200 len: 1875 microversion: 2.53 time: 0.056198     2017-08-29 19:11:16,262 INFO [nova.api.openstack.requestlog] 127.0.0.1 "GET /v2.1/6f70656e737461636b20342065766572/os-migrations" status: 200 len: 373 microversion: 2.53 time: 0.004618     2017-08-29 19:11:16,280 INFO [nova.api.openstack.requestlog] 127.0.0.1 "PUT /v2.1/6f70656e737461636b20342065766572/os-services/c269bc74-4720-4de4-a6e5-889080b892a0" status: 200 len: 245 microversion: 2.53 time: 0.016442     2017-08-29 19:11:16,281 INFO [nova.service] Starting compute node (version 16.0.0)     2017-08-29 19:11:16,296 INFO [nova.compute.manager] Deleting instance as it has been evacuated from this host To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1713783/+subscriptions From 1750843 at bugs.launchpad.net Wed Mar 28 16:51:27 2018 From: 1750843 at bugs.launchpad.net (Matthew Thode) Date: Wed, 28 Mar 2018 16:51:27 -0000 Subject: [Openstack-security] [Bug 1750843] Re: pysaml2 version in global requirements must be updated to 4.5.0 References: <151922537889.2431.9740442844817515971.malonedeb@gac.canonical.com> Message-ID: <152225588795.12765.15172112886580975519.malone@gac.canonical.com> keystone, you can test by depending on this patch https://review.openstack.org/557434 ** Also affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750843 Title: pysaml2 version in global requirements must be updated to 4.5.0 Status in OpenStack Identity (keystone): New Status in OpenStack Global Requirements: New Bug description: As per security vulnerability CVE-2016-10149, XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response and it has a CVSS v3 Base Score of 7.5. The above vulnerability has been fixed in version 4.5.0 as per https://github.com/rohe/pysaml2/issues/366. The latest version of pysaml2 (https://pypi.python.org/pypi/pysaml2/4.5.0) has this fix. However, the global requirements has the version set to < 4.0.3 https://github.com/openstack/requirements/blob/master/global-requirements.txt#L230 pysaml2>=4.0.2,<4.0.3 https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L347 pysaml2===4.0.2 The version of pysaml2 supported for OpenStack should be updated such that OpenStack deployments are not vulnerable to the above mentioned CVE. pysaml2 is used by OpenStack Keystone for identity Federation. This bug in itself is not a security vulnerability but not fixing this bug causes OpenStack deployments to be vulnerable. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1750843/+subscriptions From 1737207 at bugs.launchpad.net Wed Mar 28 17:47:17 2018 From: 1737207 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 28 Mar 2018 17:47:17 -0000 Subject: [Openstack-security] [Bug 1737207] Re: Guest admin password and network information is logged at debug if libvirt.inject_partition != -2 References: <151275282506.3764.13107222303228891439.malonedeb@gac.canonical.com> Message-ID: <152225923726.14119.10534816121309074630.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/548289 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=088bf6df8ee332f1c24493430003a5bf1b77b2ce Submitter: Zuul Branch: stable/queens commit 088bf6df8ee332f1c24493430003a5bf1b77b2ce Author: Matt Riedemann Date: Fri Dec 8 16:02:44 2017 -0500 libvirt: mask InjectionInfo.admin_pass Logging network information and the admin password for guest instances is not ideal, so let's not do it. Change-Id: I328ba88b128c6c125e65d850ed7a6e57049dc7e2 Closes-Bug: #1737207 (cherry picked from commit 6839630e86d958dcda8585664586754d419363a7) ** Changed in: nova/queens Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1737207 Title: Guest admin password and network information is logged at debug if libvirt.inject_partition != -2 Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) ocata series: In Progress Status in OpenStack Compute (nova) pike series: In Progress Status in OpenStack Compute (nova) queens series: Fix Committed Bug description: When using the libvirt driver and the inject_partition config option is != -2 (disabled), the driver will log the network information and admin password about the guest during disk injection: http://logs.openstack.org/50/524750/1/check/legacy-tempest-dsvm- neutron-full- centos-7/a7f051e/logs/screen-n-cpu.txt.gz#_Dec_04_13_42_41_311316 Dec 04 13:42:41.311316 centos-7-rax-dfw-0001196569 nova-compute[7962]: DEBUG nova.virt.libvirt.driver [None req-80dab566-372b-43d7-88f9-d807cc9cb673 service nova] [instance: 941f8290-5e14-4b53-85c9-c5045de9a067] Checking root disk injection InjectionInfo(network_info=[{"profile": {}, "ovs_interfaceid": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [], "address": "10.1.0.6"}], "version": 4, "meta": {"dhcp_server": "10.1.0.2"}, "dns": [], "routes": [], "cidr": "10.1.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.1.0.1"}}], "meta": {"injected": false, "tenant_id": "77504d716f9d4f38a021cbfa4f0e28ee", "mtu": 1450}, "id": "766bb2bf-e1c0-43b8-8800-5737351e9a03", "label": "tempest-ServersTestJSON-518988576-network"}, "devname": "tap56e5a50e-d3", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true, "datapath_type": "system", "ovs_hybrid_plug": true}, "address": "fa:16:3e:d3:8e:f8", "active": false, "type": "ovs", "id": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "qbg_params": null}], files=[], admin_pass=u'V2^cP#tYp*=UD&7') {{(pid=7962) _inject_data /opt/stack/new/nova/nova/virt/libvirt/driver.py:3115}} Dec 04 13:42:41.314687 centos-7-rax-dfw-0001196569 nova-compute[7962]: DEBUG nova.virt.libvirt.driver [None req-80dab566-372b-43d7-88f9-d807cc9cb673 service nova] [instance: 941f8290-5e14-4b53-85c9-c5045de9a067] Injecting InjectionInfo(network_info=[{"profile": {}, "ovs_interfaceid": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [], "address": "10.1.0.6"}], "version": 4, "meta": {"dhcp_server": "10.1.0.2"}, "dns": [], "routes": [], "cidr": "10.1.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.1.0.1"}}], "meta": {"injected": false, "tenant_id": "77504d716f9d4f38a021cbfa4f0e28ee", "mtu": 1450}, "id": "766bb2bf-e1c0-43b8-8800-5737351e9a03", "label": "tempest-ServersTestJSON-518988576-network"}, "devname": "tap56e5a50e-d3", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true, "datapath_type": "system", "ovs_hybrid_plug": true}, "address": "fa:16:3e:d3:8e:f8", "active": false, "type": "ovs", "id": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "qbg_params": null}], files=[], admin_pass=u'V2^cP#tYp*=UD&7') {{(pid=7962) _inject_data /opt/stack/new/nova/nova/virt/libvirt/driver.py:3146}} This was introduced in Ocata (15.0.0): https://review.openstack.org/#/c/337790/ To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1737207/+subscriptions From 1737207 at bugs.launchpad.net Thu Mar 29 03:58:54 2018 From: 1737207 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 29 Mar 2018 03:58:54 -0000 Subject: [Openstack-security] [Bug 1737207] Re: Guest admin password and network information is logged at debug if libvirt.inject_partition != -2 References: <151275282506.3764.13107222303228891439.malonedeb@gac.canonical.com> Message-ID: <152229593423.8635.13368370566679974323.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/548312 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=13b598d371e7d0a67a953a87666d2e6adbc38372 Submitter: Zuul Branch: stable/pike commit 13b598d371e7d0a67a953a87666d2e6adbc38372 Author: Matt Riedemann Date: Fri Dec 8 16:02:44 2017 -0500 libvirt: mask InjectionInfo.admin_pass Logging network information and the admin password for guest instances is not ideal, so let's not do it. Change-Id: I328ba88b128c6c125e65d850ed7a6e57049dc7e2 Closes-Bug: #1737207 (cherry picked from commit 6839630e86d958dcda8585664586754d419363a7) (cherry picked from commit 088bf6df8ee332f1c24493430003a5bf1b77b2ce) ** Changed in: nova/pike Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1737207 Title: Guest admin password and network information is logged at debug if libvirt.inject_partition != -2 Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) ocata series: In Progress Status in OpenStack Compute (nova) pike series: Fix Committed Status in OpenStack Compute (nova) queens series: Fix Committed Bug description: When using the libvirt driver and the inject_partition config option is != -2 (disabled), the driver will log the network information and admin password about the guest during disk injection: http://logs.openstack.org/50/524750/1/check/legacy-tempest-dsvm- neutron-full- centos-7/a7f051e/logs/screen-n-cpu.txt.gz#_Dec_04_13_42_41_311316 Dec 04 13:42:41.311316 centos-7-rax-dfw-0001196569 nova-compute[7962]: DEBUG nova.virt.libvirt.driver [None req-80dab566-372b-43d7-88f9-d807cc9cb673 service nova] [instance: 941f8290-5e14-4b53-85c9-c5045de9a067] Checking root disk injection InjectionInfo(network_info=[{"profile": {}, "ovs_interfaceid": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [], "address": "10.1.0.6"}], "version": 4, "meta": {"dhcp_server": "10.1.0.2"}, "dns": [], "routes": [], "cidr": "10.1.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.1.0.1"}}], "meta": {"injected": false, "tenant_id": "77504d716f9d4f38a021cbfa4f0e28ee", "mtu": 1450}, "id": "766bb2bf-e1c0-43b8-8800-5737351e9a03", "label": "tempest-ServersTestJSON-518988576-network"}, "devname": "tap56e5a50e-d3", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true, "datapath_type": "system", "ovs_hybrid_plug": true}, "address": "fa:16:3e:d3:8e:f8", "active": false, "type": "ovs", "id": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "qbg_params": null}], files=[], admin_pass=u'V2^cP#tYp*=UD&7') {{(pid=7962) _inject_data /opt/stack/new/nova/nova/virt/libvirt/driver.py:3115}} Dec 04 13:42:41.314687 centos-7-rax-dfw-0001196569 nova-compute[7962]: DEBUG nova.virt.libvirt.driver [None req-80dab566-372b-43d7-88f9-d807cc9cb673 service nova] [instance: 941f8290-5e14-4b53-85c9-c5045de9a067] Injecting InjectionInfo(network_info=[{"profile": {}, "ovs_interfaceid": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [], "address": "10.1.0.6"}], "version": 4, "meta": {"dhcp_server": "10.1.0.2"}, "dns": [], "routes": [], "cidr": "10.1.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.1.0.1"}}], "meta": {"injected": false, "tenant_id": "77504d716f9d4f38a021cbfa4f0e28ee", "mtu": 1450}, "id": "766bb2bf-e1c0-43b8-8800-5737351e9a03", "label": "tempest-ServersTestJSON-518988576-network"}, "devname": "tap56e5a50e-d3", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true, "datapath_type": "system", "ovs_hybrid_plug": true}, "address": "fa:16:3e:d3:8e:f8", "active": false, "type": "ovs", "id": "56e5a50e-d30e-4814-aee3-fcc9525d12ca", "qbg_params": null}], files=[], admin_pass=u'V2^cP#tYp*=UD&7') {{(pid=7962) _inject_data /opt/stack/new/nova/nova/virt/libvirt/driver.py:3146}} This was introduced in Ocata (15.0.0): https://review.openstack.org/#/c/337790/ To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1737207/+subscriptions From lbragstad at gmail.com Thu Mar 29 21:14:55 2018 From: lbragstad at gmail.com (Lance Bragstad) Date: Thu, 29 Mar 2018 21:14:55 -0000 Subject: [Openstack-security] [Bug 1750843] Re: pysaml2 version in global requirements must be updated to 4.5.0 References: <151922537889.2431.9740442844817515971.malonedeb@gac.canonical.com> Message-ID: <152235809587.3673.14151116090979240685.malone@chaenomeles.canonical.com> Given the comments from the keystone team, I'm going to mark this as Low for the time being. The patch Matt linked in comment #11 also passed when depending on a bump of pysaml2 to version 4.5.0. >From a keystone perspective, we should be able to close this once the OpenStack Proposal Bot proposes an update of pysaml2 to keystone's requirements file. ** Changed in: keystone Status: New => Confirmed ** Changed in: keystone Importance: Undecided => Low -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750843 Title: pysaml2 version in global requirements must be updated to 4.5.0 Status in OpenStack Identity (keystone): Confirmed Status in OpenStack Global Requirements: New Bug description: As per security vulnerability CVE-2016-10149, XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response and it has a CVSS v3 Base Score of 7.5. The above vulnerability has been fixed in version 4.5.0 as per https://github.com/rohe/pysaml2/issues/366. The latest version of pysaml2 (https://pypi.python.org/pypi/pysaml2/4.5.0) has this fix. However, the global requirements has the version set to < 4.0.3 https://github.com/openstack/requirements/blob/master/global-requirements.txt#L230 pysaml2>=4.0.2,<4.0.3 https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L347 pysaml2===4.0.2 The version of pysaml2 supported for OpenStack should be updated such that OpenStack deployments are not vulnerable to the above mentioned CVE. pysaml2 is used by OpenStack Keystone for identity Federation. This bug in itself is not a security vulnerability but not fixing this bug causes OpenStack deployments to be vulnerable. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1750843/+subscriptions From lbragstad at gmail.com Thu Mar 29 21:15:11 2018 From: lbragstad at gmail.com (Lance Bragstad) Date: Thu, 29 Mar 2018 21:15:11 -0000 Subject: [Openstack-security] [Bug 1750843] Re: pysaml2 version in global requirements must be updated to 4.5.0 References: <151922537889.2431.9740442844817515971.malonedeb@gac.canonical.com> Message-ID: <152235811137.8225.12040692653120342002.malone@wampee.canonical.com> Relevant context from IRC: http://eavesdrop.openstack.org/irclogs/%23openstack-requirements /%23openstack-requirements.2018-03-29.log.html#t2018-03-29T20:58:08 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750843 Title: pysaml2 version in global requirements must be updated to 4.5.0 Status in OpenStack Identity (keystone): Confirmed Status in OpenStack Global Requirements: New Bug description: As per security vulnerability CVE-2016-10149, XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response and it has a CVSS v3 Base Score of 7.5. The above vulnerability has been fixed in version 4.5.0 as per https://github.com/rohe/pysaml2/issues/366. The latest version of pysaml2 (https://pypi.python.org/pypi/pysaml2/4.5.0) has this fix. However, the global requirements has the version set to < 4.0.3 https://github.com/openstack/requirements/blob/master/global-requirements.txt#L230 pysaml2>=4.0.2,<4.0.3 https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L347 pysaml2===4.0.2 The version of pysaml2 supported for OpenStack should be updated such that OpenStack deployments are not vulnerable to the above mentioned CVE. pysaml2 is used by OpenStack Keystone for identity Federation. This bug in itself is not a security vulnerability but not fixing this bug causes OpenStack deployments to be vulnerable. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1750843/+subscriptions