[Openstack-security] [Bug 1549547] Re: LBaaS leaking password in logs

Tristan Cacqueray tdecacqu at redhat.com
Mon Feb 29 15:19:15 UTC 2016 

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Summary changed:

- LBaaS leaking password in logs
+ LBaaS leaking password in DEBUG logs

** Information type changed from Private Security to Public

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
- --
- 
  Current code leaks the keystone admin_password in the cfg into log
  files:
  
  Example from DevStack q-svc.log:
  [00;32mDEBUG oslo_service.service [^[[00;36m-^[[00;32m] ^[[01;35m^[[00;32mservice_auth.admin_password    = password
  
  Issue is that the cfg.StrOpt for admin_password did not set 'secret=True", which would give:
  service_auth.admin_password    = ****

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1549547

Title:
  LBaaS leaking password in DEBUG logs

Status in neutron:
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Current code leaks the keystone admin_password in the cfg into log
  files:

  Example from DevStack q-svc.log:
  [00;32mDEBUG oslo_service.service [^[[00;36m-^[[00;32m] ^[[01;35m^[[00;32mservice_auth.admin_password    = password

  Issue is that the cfg.StrOpt for admin_password did not set 'secret=True", which would give:
  service_auth.admin_password    = ****

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1549547/+subscriptions

More information about the Openstack-security mailing list