Open Stack

That is great information! Thanks.


On Tue, Apr 29, 2014 at 10:38 AM, Clark, Robert Graham
<robert.clark at hp.com>wrote:

> Absolutely, for people that haven’t updated their SSL libraries (where
> OpenSSL was in use) there could be some level of exposure.
>
>
>
> This has actually been addressed in an OpenStack Security Note:
> https://wiki.openstack.org/wiki/OSSN/OSSN-0012
>
>
>
> *From:* Hao Wang [mailto:hao.1.wang at gmail.com]
> *Sent:* 29 April 2014 15:26
> *To:* Clark, Robert Graham
> *Cc:* openstack-security at lists.openstack.org; openstack; Aaron Knister
>
> *Subject:* Re: [Openstack-security] [Openstack] API Security
>
>
>
> Thanks. It makes sense. The other questions are, would Heartbleed be a
> potential risk? Which solution is being used in OpenStack SSL?
>
>
>
> On Tue, Apr 29, 2014 at 10:07 AM, Clark, Robert Graham <
> robert.clark at hp.com> wrote:
>
> This is why any production API servers should all be running TLS/SSL – to
> protect the confidentiality of messages in flight.
>
>
>
> There have been efforts to remove sensitive information from logs, I’m a
> little surprised that passwords are logged in Neutron.
>
>
>
> *From:* Hao Wang [mailto:hao.1.wang at gmail.com]
> *Sent:* 29 April 2014 14:06
> *To:* openstack-security at lists.openstack.org
> *Cc:* openstack; Aaron Knister
> *Subject:* Re: [Openstack-security] [Openstack] API Security
>
>
>
> Adding security group...
>
>
>
> On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <hao.1.wang at gmail.com> wrote:
>
> It is the client. I got this message with DEBUG enabled:
>
> curl -i 'http://192.168.56.103:35357/v2.0/tokens' -X POST -H
> "Content-Type: application/json" -H "Accept: application/json" -H
> "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin",
> "passwordCredentials": {"username": "admin", "password": "admin"}}}'
>
>
>
> It can be seen that username and password are right in the message.
>
>
>
> Hao
>
>
>
> On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister <aaron.knister at gmail.com>
> wrote:
>
> Was it the client or the server that exposed the credentials?
>
> Sent from my iPhone
>
>
> On Apr 26, 2014, at 2:28 PM, Hao Wang <hao.1.wang at gmail.com> wrote:
>
> Hi,
>
>
>
> I am troubleshooting a neutron case. It was just found that if DEBUG was
> enabled, neutron would print out JSON data with username and password. I am
> wondering what kind of protocol is used in production environment to
> prevent this security risk from happening.
>
>
>
> Thanks,
>
> Hao
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140429/85417fc7/attachment.html>