Nova compute log can get the password info from the user_data
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Confirmed
|
Wishlist
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Here is the log on /var/log/
>>>base64.
b'#cloud-
Although the password is been encrypted but it is easy to decrypted.
So, in order to avoid this, maybe we don't need to display the password info?
From nova perspective user_data is a transparent blob of information. Nova does not know if the user data contains passwords, security keys, or any other sensitive information. I'm not sure this is directly a nova security bug but it could be so I still marking it as such to get it evaluated from security perspective.