[Openstack-security] [Bug 1685678] Re: swap volume operation may leak credentials into debug logs
Jeremy Stanley
fungi at yuggoth.org
Sun May 21 13:11:16 UTC 2017
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
- --
-
The swap volume code in the compute service logs old and new volume
connection_info dicts to debug here:
https://github.com/openstack/nova/blob/1ad41c0b0c844b65424251dbc3399039789b064f/nova/compute/manager.py#L4930
The new connection_info comes from Cinder:
https://github.com/openstack/nova/blob/1ad41c0b0c844b65424251dbc3399039789b064f/nova/compute/manager.py#L4901
That's a plain dict from the response which may contain credentials.
The old connection_info comes from the
nova.objects.block_device.BlockDeviceMapping object, which uses
SensitiveStringField to sanitize the field's value when logged:
https://github.com/openstack/nova/blob/1ad41c0b0c844b65424251dbc3399039789b064f/nova/compute/manager.py#L4904
https://github.com/openstack/oslo.versionedobjects/blob/1.23.0/oslo_versionedobjects/fields.py#L280
The new connection_info could contain credentials though, so we should
mask those when logging it, even at debug level.
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1685678
Title:
swap volume operation may leak credentials into debug logs
Status in OpenStack Compute (nova):
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The swap volume code in the compute service logs old and new volume
connection_info dicts to debug here:
https://github.com/openstack/nova/blob/1ad41c0b0c844b65424251dbc3399039789b064f/nova/compute/manager.py#L4930
The new connection_info comes from Cinder:
https://github.com/openstack/nova/blob/1ad41c0b0c844b65424251dbc3399039789b064f/nova/compute/manager.py#L4901
That's a plain dict from the response which may contain credentials.
The old connection_info comes from the
nova.objects.block_device.BlockDeviceMapping object, which uses
SensitiveStringField to sanitize the field's value when logged:
https://github.com/openstack/nova/blob/1ad41c0b0c844b65424251dbc3399039789b064f/nova/compute/manager.py#L4904
https://github.com/openstack/oslo.versionedobjects/blob/1.23.0/oslo_versionedobjects/fields.py#L280
The new connection_info could contain credentials though, so we should
mask those when logging it, even at debug level.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1685678/+subscriptions
More information about the Openstack-security
mailing list