[Openstack-security] [Bug 1750074] Re: Cinder logs rabbitmq password on connection log
Jeremy Stanley
fungi at yuggoth.org
Mon Mar 5 21:07:57 UTC 2018
I'm marking the advisory task won't fix and triaging this as a potential
security hardening opportunity. In the past we've considered information
leaking in DEBUG level logs to fit the B3 classification (a
vulnerability in experimental or debugging features not intended for
production use) in our report taxonomy: https://security.openstack.org
/vmt-process.html#incident-report-taxonomy
** Information type changed from Public Security to Public
** Tags added: security
** Changed in: ossa
Status: New => Won't Fix
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1750074
Title:
Cinder logs rabbitmq password on connection log
Status in Cinder:
Fix Released
Status in Manila:
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Cinder may log rabbitmq password on connection when DEBUG is on.
Example on cinder-scheduler.log file after enabling DEBUG:
(Password has been replaced with XXX)
2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd-
14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url :
rabbit://guest:XXX@10.10.10.1:5672,guest:XXX@10.10.10.2:5672,guest:XXX@10.10.10.3:5672
wait /usr/lib/python2.7/site-packages/cinder/service.py:611
In a production environment, this is pretty bad.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1750074/+subscriptions
More information about the Openstack-security
mailing list