[Openstack-security] [Bug 1686743] Re: Ceph credentials included in logs using older libvirt/qemu
Jeremy Stanley
fungi at yuggoth.org
Thu Aug 29 19:56:20 UTC 2019
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
Older versions of libvirt included network storage authentication
information on the qemu command line. If libvirt raises an exception
which logs the qemu command line it used, for example an error starting
a domain, this authentication information will end up in the logs. There
is an existing CVE for this issue here:
https://access.redhat.com/security/cve/CVE-2015-5160
Specifically, if a deployment is using ceph, a libvirt error starting a
domain would log the cephx secret key and the monitor addresses on the
qemu command line.
The issue has been resolved upstream. Users running qemu version 2.6 or
later, and libvirt version 2.2 or later, are not vulnerable. No change
is required in Nova to resolve this issue.
Red Hat users running RHEL 7.3 or later are not vulnerable.
It's not 100% clear to me that an OpenStack CVE is required here as it's
not a bug in an OpenStack component, and it's already fixed upstream.
However, it did come to my attention after a user publicly posted their
ceph credentials on IRC, so evidently some OpenStack users are running
vulnerable systems, and this is a very common configuration.
In Nova, we currently have:
MIN_LIBVIRT_VERSION = (1, 2, 9)
MIN_QEMU_VERSION = (2, 1, 0)
so anybody running the minimum supported versions will be vulnerable.
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1686743
Title:
Ceph credentials included in logs using older libvirt/qemu
Status in OpenStack Compute (nova):
Opinion
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
Older versions of libvirt included network storage authentication
information on the qemu command line. If libvirt raises an exception
which logs the qemu command line it used, for example an error
starting a domain, this authentication information will end up in the
logs. There is an existing CVE for this issue here:
https://access.redhat.com/security/cve/CVE-2015-5160
Specifically, if a deployment is using ceph, a libvirt error starting
a domain would log the cephx secret key and the monitor addresses on
the qemu command line.
The issue has been resolved upstream. Users running qemu version 2.6
or later, and libvirt version 2.2 or later, are not vulnerable. No
change is required in Nova to resolve this issue.
Red Hat users running RHEL 7.3 or later are not vulnerable.
It's not 100% clear to me that an OpenStack CVE is required here as
it's not a bug in an OpenStack component, and it's already fixed
upstream. However, it did come to my attention after a user publicly
posted their ceph credentials on IRC, so evidently some OpenStack
users are running vulnerable systems, and this is a very common
configuration.
In Nova, we currently have:
MIN_LIBVIRT_VERSION = (1, 2, 9)
MIN_QEMU_VERSION = (2, 1, 0)
so anybody running the minimum supported versions will be vulnerable.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1686743/+subscriptions
More information about the Openstack-security
mailing list