Swift object/proxy server writing Auth Token to log file (swauth)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
Swift Authentication |
In Progress
|
High
|
Pavel Kvasnička |
Bug Description
Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used.
Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file
Steps to trigger the issue:
1. Enable `swauth` authentication middleware
2. Retieve token using:
```
swift -A http://
```
Logs written when the above command is excecuted has the token as well:
```
Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/
Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/
Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/
```
3. After retrieving the token from the logfile, I was able to execute this command as below,
```
curl -i http://
```
The output obtained:
```
HTTP/1.1 200 OK
Content-Length: 2
Accept-Ranges: bytes
X-Timestamp: 1484167500.58887
X-Account-
X-Account-
Content-Type: application/json; charset=utf-8
X-Account-
X-Trans-Id: txbd83d5254a404
X-Openstack-
Date: Wed, 11 Jan 2017 23:05:14 GMT
```
As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue.
CVE References
Changed in swauth: | |
assignee: | nobody → Pavel Kvasnička (pavel-kvasnicka) |
status: | New → In Progress |
information type: | Private Security → Public Security |
Changed in swauth: | |
status: | In Progress → Confirmed |
status: | Confirmed → In Progress |
description: | updated |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in swift: | |
status: | New → Invalid |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.