oslo notifications sending sensitive tokens
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
In Progress
|
Medium
|
Jay Faulkner | ||
OpenStack Compute (nova) |
Confirmed
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Confirmed
|
Medium
|
Jeremy Stanley | ||
oslo.messaging |
In Progress
|
Undecided
|
Jay Faulkner |
Bug Description
Hi,
I have configured an OpenStack deployment to send Ironic service notifications using oslo_messaging_
- I have confirmed that auth token is leaked using both a Kafka and RabbitMQ backed
- I have also confirmed that both messaging and messagingv2 options under oslo_messaging_
- I am using the Victoria version of Openstack and I have not confirmed if this has been patched on newer versions
1) https:/
2) https:/
Changed in ironic: | |
assignee: | nobody → Jay Faulkner (jason-oldos) |
Changed in nova: | |
status: | New → Confirmed |
Changed in ironic: | |
status: | New → Confirmed |
Changed in ossa: | |
status: | Won't Fix → Incomplete |
Changed in ironic: | |
importance: | Undecided → Critical |
description: | updated |
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → Medium |
assignee: | nobody → Jeremy Stanley (fungi) |
Changed in ironic: | |
importance: | Critical → Medium |
I've added a "won't fix" security advisory task for now as a formality, since reports of suspected vulnerabilities are not officially overseen by the OpenStack Vulnerability Management Team: https:/ /security. openstack. org/repos- overseen. html
I'm still happy to provide guidance on behalf of the VMT on a best-effort basis.