[Openstack-security] [Bug 1470740] Re: swiftclient disclose token in debug logs
George Shuklin
1470740 at bugs.launchpad.net
Thu Jul 2 15:29:00 UTC 2015
I may agree that local logs with DEBUG is not a big deal, but if
use_syslog=True enabled, than, yes, it can cause unexpected
consequences.
For example, in our real-world installation I just wanted to see debug
logs from glance for short time, and I didn't expected to disclose them
to low-clearance support personnel, and this was suddenly a BIG issue
for our security department.
I was forced to write down official explanation about accidental
credential disclosure and perform in-house audit of all swift access
logs to prove there were no attempts of unauthorized access to
snapshots with sensitive data.
OSSN is not enough, because it can be necessary to enable debug for
service (like glance).
Proposal: perform token masking only if logs are sent to syslog.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1470740
Title:
swiftclient disclose token in debug logs
Status in OpenStack Image Registry and Delivery Service (Glance):
New
Status in OpenStack Security Notes:
New
Status in Python client library for Swift:
New
Bug description:
Setup: juno. Nova, glance + swiftclient.
glance-api.conf (important parts):
[DEFAULT]
debug = true
logging_context_format_string=%(name)s[%(process)d]: %(levelname)s %(instance)s%(message)s [%(request_id)s %(user)s %(tenant)s]
logging_default_format_string=%(name)s[%(process)d]: %(levelname)s %(instance)s%(message)s
logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d
logging_exception_prefix=%(name)s[%(process)d]: TRACE %(instance)s
default_store = swift
use_syslog = True
syslog_log_facility = LOG_LOCAL2
swift_store_auth_address = https://my.hand.disclosing.corporte.url:5000/v2.0
swift_store_user = tenant:user
swift_store_key = sexgodqwerty123456love
Result in remote syslog:
DEBUG REQ: curl -i
https://my.hand.disclosing.corporte.url:8080/v1/OMG_47e02d5a461148ef9f9dab62ea0ba64b/region/6a66d8dc-5748-4cb5-9db5-b12ab0d1c698-00007
-X PUT -H "X-Auth-Token: 6f64276e2074726461650a6d" http_log
/usr/lib/python2.7/dist-packages/swiftclient/client.py:95
Versions:
ii python-swift 2.2.0-0ubuntu1~cloud0 all distributed virtual object store - Python libraries
ii python-swiftclient 1:2.3.0-0ubuntu1~cloud0 all Client library for Openstack Swift API.
ii glance-api 1:2014.2.3-0-ownbuild all OpenStack Image Registry and Delivery Service - API
ii glance-common 1:2014.2.3-ownbuild all OpenStack Image Registry and Delivery Service - Common
ii python-glance 1:2014.2.3-0ownbuild all OpenStack Image Registry and Delivery Service - Python library
ii python-glance-store 0.1.8-1ubuntu2~cloud0 all OpenStack Image Service store library - Python 2.x
ii python-glanceclient 1:0.14.0-0ubuntu1~cloud0 all Client library for Openstack glance server.
Impact:
1) Unprivileged employee with access to logging facility may get access to glance images, including snapshots of the tenants.
2) Syslog transmitted unencrypted in UDP or TCP and it may be viewed by unauthorized person.
Expected behavior:
Complete or partial token masking in logs, f.e.:
DEBUG REQ: curl -i
https://my.hand.disclosing.corporte.url:8080/v1/OMG_47e02d5a461148ef9f9dab62ea0ba64b/region/6a66d8dc-5748-4cb5-9db5-b12ab0d1c698-00007
-X PUT -H "X-Auth-Token: 6****************d" http_log
/usr/lib/python2.7/dist-packages/swiftclient/client.py:95
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1470740/+subscriptions
More information about the Openstack-security
mailing list