Cookie hash value displayed in rabbitmq logs

Bug #1761538 reported by Archana Prabhakar
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned
OpenStack Security Notes
New
Undecided
Unassigned

Bug Description

ENabled rabbitmq debug and restarted the process. Found sensitive data displayed in logs.

rabbitmq uses Erlang cookie concept where a cluster of nodes communicates to each other. Any node that posses this secret cookie can communicate with other nodes in the cluster.

=INFO REPORT==== 31-Mar-2018::03:28:46 ===
stopped SSL Listener on [::]:5671

=INFO REPORT==== 31-Mar-2018::03:28:46 ===
Stopped RabbitMQ application

=INFO REPORT==== 31-Mar-2018::03:28:46 ===
Halting Erlang VM

=INFO REPORT==== 31-Mar-2018::03:29:54 ===
Starting RabbitMQ 3.6.6 on Erlang 19.1.1
Copyright (C) 2007-2016 Pivotal Software, Inc.
Licensed under the MPL. See http://www.rabbitmq.com/

=INFO REPORT==== 31-Mar-2018::03:29:54 ===
node : rabbit@ip9-114-192-221
home dir : /var/lib/rabbitmq
config file(s) : /etc/rabbitmq/rabbitmq.config
cookie hash : RVLZk6qSkQ471Dqtfk14wA==
log : /<email address hidden>
sasl log : /<email address hidden>
database dir : /var/lib/rabbitmq/mnesia/rabbit@ip9-114-192-221

=INFO REPORT==== 31-Mar-2018::03:29:57 ===
Memory limit set to 3876MB of 9690MB total.

Tags: security
Revision history for this message
Divya K Konoor (dikonoor) wrote :

Archana, I believe the right place to open this bug is at https://github.com/rabbitmq/rabbitmq-server/issues/new as the logs mentioned here has nothing to do with Keystone.

tags: added: security
Revision history for this message
Divya K Konoor (dikonoor) wrote :

But logging this Erlang Cache could have a security impact on OpenStack

Revision history for this message
Jeremy Stanley (fungi) wrote :

If this behavior is configurable or other mitigation can be devised, or if it gets patched upstream in rabbitmq, then a security note (not advisory) may be appropriate to let operators know about the risk and what they can do.

Revision history for this message
Gage Hugo (gagehugo) wrote :

This likely is more related to RabbitMQ (and as fungi pointed out, should probably be noted in OSSN) if it has a security impact on OpenStack as a whole, rather than specifically keystone.

Changed in keystone:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.