2016-11-03 16:40:12 |
Derek Higgins |
bug |
|
|
added bug |
2016-11-03 16:41:46 |
Derek Higgins |
attachment added |
|
0001-Mask-data-before-displaying-it-in-debug-output.patch https://bugs.launchpad.net/keystoneauth/+bug/1638978/+attachment/4771891/+files/0001-Mask-data-before-displaying-it-in-debug-output.patch |
|
2016-11-08 17:31:04 |
Derek Higgins |
bug |
|
|
added subscriber Garth Mollett |
2017-01-17 20:33:10 |
Morgan Fainberg |
bug |
|
|
added subscriber Keystone Core security contacts |
2017-01-17 20:45:26 |
Morgan Fainberg |
description |
From https://bugzilla.redhat.com/show_bug.cgi?id=1346089#c10
the debug output is displaying unsanitized user data and could result in people unintentionally sharing secrets, it should be passed through strutils.mask_password in oslo_util to sanitize all known secrets
In this case the password "a12345" is been logged in debug mode,
$ ironic --debug node-create -d pxe_ipmitool -i ipmi_password=$PASSWORD
<snip/>
DEBUG (session:337) REQ: curl -g -i -X POST http://192.0.2.1:6385/v1/nodes -H "X-OpenStack-Ironic-API-Version: 1.9" -H "User-Agent: python-ironicclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}874b5da517e12f3a17e3afaa15be8eabffc190a3" -d '{"driver": "pxe_ipmitool", "driver_info": {"ipmi_password": "a12345"}}'
INFO (connectionpool:213) Starting new HTTP connection (1): 192.0.2.1
<snip/>
+-------------------+--------------------------------------+
| Property | Value |
+-------------------+--------------------------------------+
| chassis_uuid | |
| driver | pxe_ipmitool |
| driver_info | {u'ipmi_password': u'******'} |
| extra | {} |
| name | None |
| network_interface | |
| properties | {} |
| resource_class | |
| uuid | 7c45c974-6462-48fe-9bfe-98ea864409b3 |
+-------------------+--------------------------------------+ |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the keystone-coresec team (as KeystoneAuth is not under official OpenStack Vulnerability Management Team support). This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
From https://bugzilla.redhat.com/show_bug.cgi?id=1346089#c10
the debug output is displaying unsanitized user data and could result in people unintentionally sharing secrets, it should be passed through strutils.mask_password in oslo_util to sanitize all known secrets
In this case the password "a12345" is been logged in debug mode,
$ ironic --debug node-create -d pxe_ipmitool -i ipmi_password=$PASSWORD
<snip/>
DEBUG (session:337) REQ: curl -g -i -X POST http://192.0.2.1:6385/v1/nodes -H "X-OpenStack-Ironic-API-Version: 1.9" -H "User-Agent: python-ironicclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}874b5da517e12f3a17e3afaa15be8eabffc190a3" -d '{"driver": "pxe_ipmitool", "driver_info": {"ipmi_password": "a12345"}}'
INFO (connectionpool:213) Starting new HTTP connection (1): 192.0.2.1
<snip/>
+-------------------+--------------------------------------+
| Property | Value |
+-------------------+--------------------------------------+
| chassis_uuid | |
| driver | pxe_ipmitool |
| driver_info | {u'ipmi_password': u'******'} |
| extra | {} |
| name | None |
| network_interface | |
| properties | {} |
| resource_class | |
| uuid | 7c45c974-6462-48fe-9bfe-98ea864409b3 |
+-------------------+--------------------------------------+ |
|
2017-07-07 17:33:19 |
Morgan Fainberg |
bug |
|
|
added subscriber Dinesh Bhor |
2017-07-20 18:59:57 |
Morgan Fainberg |
information type |
Private Security |
Public Security |
|
2017-07-20 19:00:05 |
Morgan Fainberg |
keystoneauth: importance |
Undecided |
Medium |
|
2017-07-20 19:00:08 |
Morgan Fainberg |
keystoneauth: status |
New |
Triaged |
|
2017-07-21 06:14:36 |
Dinesh Bhor |
keystoneauth: assignee |
|
Dinesh Bhor (dinesh-bhor) |
|
2017-10-17 07:20:57 |
OpenStack Infra |
keystoneauth: status |
Triaged |
In Progress |
|
2018-10-24 19:07:33 |
Morgan Fainberg |
keystoneauth: status |
In Progress |
Triaged |
|
2018-10-24 19:07:35 |
Morgan Fainberg |
keystoneauth: importance |
Medium |
Low |
|
2018-10-24 19:07:45 |
Morgan Fainberg |
keystoneauth: assignee |
Dinesh Bhor (dinesh-bhor) |
|
|
2019-08-29 19:54:34 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the keystone-coresec team (as KeystoneAuth is not under official OpenStack Vulnerability Management Team support). This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
From https://bugzilla.redhat.com/show_bug.cgi?id=1346089#c10
the debug output is displaying unsanitized user data and could result in people unintentionally sharing secrets, it should be passed through strutils.mask_password in oslo_util to sanitize all known secrets
In this case the password "a12345" is been logged in debug mode,
$ ironic --debug node-create -d pxe_ipmitool -i ipmi_password=$PASSWORD
<snip/>
DEBUG (session:337) REQ: curl -g -i -X POST http://192.0.2.1:6385/v1/nodes -H "X-OpenStack-Ironic-API-Version: 1.9" -H "User-Agent: python-ironicclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}874b5da517e12f3a17e3afaa15be8eabffc190a3" -d '{"driver": "pxe_ipmitool", "driver_info": {"ipmi_password": "a12345"}}'
INFO (connectionpool:213) Starting new HTTP connection (1): 192.0.2.1
<snip/>
+-------------------+--------------------------------------+
| Property | Value |
+-------------------+--------------------------------------+
| chassis_uuid | |
| driver | pxe_ipmitool |
| driver_info | {u'ipmi_password': u'******'} |
| extra | {} |
| name | None |
| network_interface | |
| properties | {} |
| resource_class | |
| uuid | 7c45c974-6462-48fe-9bfe-98ea864409b3 |
+-------------------+--------------------------------------+ |
From https://bugzilla.redhat.com/show_bug.cgi?id=1346089#c10
the debug output is displaying unsanitized user data and could result in people unintentionally sharing secrets, it should be passed through strutils.mask_password in oslo_util to sanitize all known secrets
In this case the password "a12345" is been logged in debug mode,
$ ironic --debug node-create -d pxe_ipmitool -i ipmi_password=$PASSWORD
<snip/>
DEBUG (session:337) REQ: curl -g -i -X POST http://192.0.2.1:6385/v1/nodes -H "X-OpenStack-Ironic-API-Version: 1.9" -H "User-Agent: python-ironicclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}874b5da517e12f3a17e3afaa15be8eabffc190a3" -d '{"driver": "pxe_ipmitool", "driver_info": {"ipmi_password": "a12345"}}'
INFO (connectionpool:213) Starting new HTTP connection (1): 192.0.2.1
<snip/>
+-------------------+--------------------------------------+
| Property | Value |
+-------------------+--------------------------------------+
| chassis_uuid | |
| driver | pxe_ipmitool |
| driver_info | {u'ipmi_password': u'******'} |
| extra | {} |
| name | None |
| network_interface | |
| properties | {} |
| resource_class | |
| uuid | 7c45c974-6462-48fe-9bfe-98ea864409b3 |
+-------------------+--------------------------------------+ |
|