OpenStack Security Notes

Cookie hash value displayed in rabbitmq logs

Bug #1761538 reported by Archana Prabhakar on 2018-04-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	Undecided	Unassigned
	OpenStack Security Notes	New	Undecided	Unassigned

Bug Description

ENabled rabbitmq debug and restarted the process. Found sensitive data displayed in logs.

rabbitmq uses Erlang cookie concept where a cluster of nodes communicates to each other. Any node that posses this secret cookie can communicate with other nodes in the cluster.

=INFO REPORT==== 31-Mar-2018::03:28:46 ===
stopped SSL Listener on [::]:5671

=INFO REPORT==== 31-Mar-2018::03:28:46 ===
Stopped RabbitMQ application

=INFO REPORT==== 31-Mar-2018::03:28:46 ===
Halting Erlang VM

=INFO REPORT==== 31-Mar-2018::03:29:54 ===
Starting RabbitMQ 3.6.6 on Erlang 19.1.1
Copyright (C) 2007-2016 Pivotal Software, Inc.
Licensed under the MPL. See http://www.rabbitmq.com/

=INFO REPORT==== 31-Mar-2018::03:29:54 ===
node : rabbit@ip9-114-192-221
home dir : /var/lib/rabbitmq
config file(s) : /etc/rabbitmq/rabbitmq.config
cookie hash : RVLZk6qSkQ471Dqtfk14wA==
log : /<email address hidden>
sasl log : /<email address hidden>
database dir : /var/lib/rabbitmq/mnesia/rabbit@ip9-114-192-221

=INFO REPORT==== 31-Mar-2018::03:29:57 ===
Memory limit set to 3876MB of 9690MB total.

Tags:

Revision history for this message

Divya K Konoor (dikonoor) wrote on 2018-04-05:

Archana, I believe the right place to open this bug is at https://github.com/rabbitmq/rabbitmq-server/issues/new as the logs mentioned here has nothing to do with Keystone.

tags:

added: security

Revision history for this message

Divya K Konoor (dikonoor) wrote on 2018-04-05:

But logging this Erlang Cache could have a security impact on OpenStack

Revision history for this message

Jeremy Stanley (fungi) wrote on 2018-04-05:

If this behavior is configurable or other mitigation can be devised, or if it gets patched upstream in rabbitmq, then a security note (not advisory) may be appropriate to let operators know about the risk and what they can do.

Revision history for this message

Gage Hugo (gagehugo) wrote on 2018-04-05:

This likely is more related to RabbitMQ (and as fungi pointed out, should probably be noted in OSSN) if it has a security impact on OpenStack as a whole, rather than specifically keystone.

Changed in keystone:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.