Ironic Inspector

Running Flask server in debug mode may be a security issue

Bug #1506419 reported by Dmitry Tantsur on 2015-10-15

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Ironic Inspector	Fix Released	High	Dmitry Tantsur	Ironic Inspector 2.3.0
Kilo	Fix Released	High	Dmitry Tantsur	Ironic Inspector 1.1.1
Liberty	Fix Released	High	Dmitry Tantsur	Ironic Inspector 2.2.2
Mitaka	Fix Released	High	Dmitry Tantsur	Ironic Inspector 2.3.0
OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

A lot of people default to running their servers in debug mode. While handy for getting the full logs, in our case it will also allow access to Flask console, which may pose a security risk. We need a separate option for this.

Tags:

CVE References

2015-5306

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-15: Fix proposed to ironic-inspector (master)

Fix proposed to branch: master
Review: https://review.openstack.org/235258

Changed in ironic-inspector:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-16: Fix merged to ironic-inspector (master)

Reviewed: https://review.openstack.org/235258
Committed: https://git.openstack.org/cgit/openstack/ironic-inspector/commit/?id=77d0052c5133034490386fbfadfdb1bdb49aa44f
Submitter: Jenkins
Branch: master

commit 77d0052c5133034490386fbfadfdb1bdb49aa44f
Author: Dmitry Tantsur <email address hidden>
Date: Thu Oct 15 12:51:23 2015 +0200

Never run Flask application with debug mode

Flask server in debug mode allows users to execute any Python code
on a server, which is a security issue for us.

Change-Id: I9e12510b0abb04182e85bf3f73cdad29e1f8d382
Closes-Bug: #1506419

Changed in ironic-inspector:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-16: Fix proposed to ironic-inspector (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/235856

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-16: Fix merged to ironic-inspector (stable/liberty)

Reviewed: https://review.openstack.org/235856
Committed: https://git.openstack.org/cgit/openstack/ironic-inspector/commit/?id=2c64da2bee6eeea27c08eb7a94894feaa5494910
Submitter: Jenkins
Branch: stable/liberty

commit 2c64da2bee6eeea27c08eb7a94894feaa5494910
Author: Dmitry Tantsur <email address hidden>
Date: Thu Oct 15 12:51:23 2015 +0200

Never run Flask application with debug mode

Flask server in debug mode allows users to execute any Python code
on a server, which is a security issue for us.

    Change-Id: I9e12510b0abb04182e85bf3f73cdad29e1f8d382
    Closes-Bug: #1506419
    (cherry picked from commit 77d0052c5133034490386fbfadfdb1bdb49aa44f)

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-10-20:

Added a "won't fix" security advisory task for this and marked it as a hardening opportunity (class D in https://security.openstack.org/vmt-process.html#incident-report-taxonomy ) due to being an sensitive information disclosure occurring only in DEBUG level logs.

Changed in ossa:
status:	New → Won't Fix
tags:	added: security

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-10-21:

Sorry, as Garth Mollett pointed out to me via E-mail, this is not simply an information disclosure but instead a backdoor. Probably the closest prior report I've seen is bug 1425206.

Though also, Ironic is not currently under OpenStack VMT oversight[*], so take this as guidance for how I would have classified it were that not actually the case.

[*] http://governance.openstack.org/reference/tags/vulnerability_managed.html

Revision history for this message

Garth Mollett (gmollett) wrote on 2015-10-21:

CVE-2015-5306 OpenStack Ironic: Potential remote code execution with debug mode enabled.
Has been assigned to this issue.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-21: Fix proposed to ironic-inspector (stable/1.1)

Fix proposed to branch: stable/1.1
Review: https://review.openstack.org/238007

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-21: Fix merged to ironic-inspector (stable/1.1)

Reviewed: https://review.openstack.org/238007
Committed: https://git.openstack.org/cgit/openstack/ironic-inspector/commit/?id=7ca56201897d8288b1acaafeccd9469840f73dcf
Submitter: Jenkins
Branch: stable/1.1

commit 7ca56201897d8288b1acaafeccd9469840f73dcf
Author: Dmitry Tantsur <email address hidden>
Date: Wed Oct 21 13:56:34 2015 +0200

Never run Flask in debug mode, it poses a security risk

Change-Id: I0c0c192bc75f42cfb070059f1764a0837ae956bb
Closes-Bug: #1506419

Revision history for this message

Mark Goddard (mgoddard) wrote on 2015-11-09:

#10

For the sake of documentation, another good reason not to run in debug mode is that it causes Flask to create a second process to monitor changes to the file system. The eventlet greenthreads for periodic clean up and firewall update tasks end up running in both processes, breaking the synchronisation in the firewall module. If the periodic firewall update runs in the parent process at the same time as an introspection callback API is handled in the main process, the two can interact, and cause unexpected errors, leading to inspection failure.

Revision history for this message

Dmitry Tantsur (divius) wrote on 2015-11-11:

#11

Mark, great catch! I think we saw this problem already.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2015-12-03: Fix included in openstack/ironic-inspector 2.3.0

#12

This issue was fixed in the openstack/ironic-inspector 2.3.0 release.

Changed in ironic-inspector:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.