Open Stack

Absolutely, for people that haven’t updated their SSL libraries (where OpenSSL was in use) there could be some level of exposure.

 

This has actually been addressed in an OpenStack Security Note: https://wiki.openstack.org/wiki/OSSN/OSSN-0012

 

From: Hao Wang [mailto:hao.1.wang at gmail.com] 
Sent: 29 April 2014 15:26
To: Clark, Robert Graham
Cc: openstack-security at lists.openstack.org; openstack; Aaron Knister
Subject: Re: [Openstack-security] [Openstack] API Security

 

Thanks. It makes sense. The other questions are, would Heartbleed be a potential risk? Which solution is being used in OpenStack SSL?

 

On Tue, Apr 29, 2014 at 10:07 AM, Clark, Robert Graham <robert.clark at hp.com <mailto:robert.clark at hp.com> > wrote:

This is why any production API servers should all be running TLS/SSL – to protect the confidentiality of messages in flight.

 

There have been efforts to remove sensitive information from logs, I’m a little surprised that passwords are logged in Neutron.

 

From: Hao Wang [mailto:hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com> ] 
Sent: 29 April 2014 14:06
To: openstack-security at lists.openstack.org <mailto:openstack-security at lists.openstack.org> 
Cc: openstack; Aaron Knister
Subject: Re: [Openstack-security] [Openstack] API Security

 

Adding security group...

 

On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com> > wrote:

It is the client. I got this message with DEBUG enabled:

curl -i 'http://192.168.56.103:35357/v2.0/tokens' -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}'

 

It can be seen that username and password are right in the message.

 

Hao

 

On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister <aaron.knister at gmail.com <mailto:aaron.knister at gmail.com> > wrote:

Was it the client or the server that exposed the credentials?

Sent from my iPhone


On Apr 26, 2014, at 2:28 PM, Hao Wang <hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com> > wrote:

Hi,

 

I am troubleshooting a neutron case. It was just found that if DEBUG was enabled, neutron would print out JSON data with username and password. I am wondering what kind of protocol is used in production environment to prevent this security risk from happening.

 

Thanks,

Hao

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org <mailto:openstack at lists.openstack.org> 
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140429/1585f3d9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140429/1585f3d9/attachment.bin>