[Openstack] [OSSN 0046] Setting services to debug mode can also set Pecan to debug

Nathan Kinder nkinder at redhat.com
Mon May 11 14:19:29 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Setting services to debug mode can also set Pecan to debug
- ---

### Summary ###
When debug mode is set for a service using Pecan (via --debug or
CONF.debug=True) Pecan is also set to debug. This can result in
accidental information disclosures.

### Affected Services / Software ###
Blazar, Ceilometer, Cue, Gnocchi, Ironic, Kite, Libra, Pecan, Tuskar

### Discussion ###
Although it's best practice to run production environments with
debugging functionality disabled, experience shows us that many
deployers choose to run OpenStack with debugging enabled to aid with
administration and fault finding.

When Pecan is running in debug mode, the following capabilities are made
available to anyone who can interact with the API service:

* Retrieve a stack trace of failed Pecan calls
* Retrieve a full list of environment variables containing potentially
sensitive information such as API credentials, passwords etc.
* Set an execution breakpoint which hangs the service with a pdb shell,
resulting in a denial of service

### Recommended Actions ###
At time of writing, Ceilometer, Gnocchi and Ironic have released fixes.
Deployers are encouraged to apply these fixes (see launchpad bug in
References) in their clouds. For services that do not have a fix, or
where fixes cannot be applied in existing deployments, we advise not
using the debug configuration for affected services in production
environments.

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0046
Original LaunchPad Bug : https://bugs.launchpad.net/ironic/+bug/1425206
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Pecan : http://www.pecanpy.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVULpuAAoJEJa+6E7Ri+EVdMUIAKmzQkm8CZp9E5q+5tuHh7ix
n3aekuYYcQ0hqk/KG8yx7dd6966Rq/EOw7bjM9rOXs9M0aLOCoyarGI9ZwrrAe86
K0VwS3E5fqX3VmiRbDBXraDlEJn8sdS8WwAApvHwlv7yEK+z+YggDhhtGvnJyQe2
rxXeZIVFPsY1bnSFtPPsUqfFvFiXSUbK3MvAEJ2USthPbS8arQbWEbBzZ60qLVhE
4tJaCFaMTkCXpIQ1ndAv63/jTQpq2N0PiaW2BPvaAGZUmUakMgCKrSwRnZ4nQw7s
NKNdmuBMTS5TNv6H9d0NixfO8NB7rNPcUm9Raon3GqnZM2mVFhc+6z4SaQUSe/I=
=eKSs
-----END PGP SIGNATURE-----




More information about the Openstack mailing list