Swift tempurl middleware reveals signatures in the logfiles (CVE-2017-8761)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Christian Schwede | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
Swift3 |
New
|
Undecided
|
Unassigned |
Bug Description
The proxy server will log valid temporary urls, that might be used to gain access to data by anyone with access to the logfiles. This is especially important with tempurls that are valid for extended
periods and/or when using central logging servers, accessed by operators that have no access to the Swift servers.
Example logentry:
Apr 24 13:25:16 localhost proxy-server[5849]: 127.0.0.1 127.0.0.1 24/Apr/
I propose to trim the temp_url_sig, like we are already doing for tokens - see attached patch.
CVE References
Changed in ossa: | |
status: | Incomplete → Triaged |
importance: | Undecided → Medium |
assignee: | nobody → Jeremy Stanley (fungi) |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
Swift tempurl middleware reveals signatures in the logfiles + (CVE-2017-8761) |
description: | updated |
Changed in swift: | |
status: | New → In Progress |
Having had to debug customer reports that tempurl "does not work", I found it can be be useful to see exactly what they sent, vs what they thought they sent. So as debug aid, I suggest you have a way of switching this off with something like:
[tempurl] signatures_ for_accounts: AUTH_test, AUTH_other
log_
By only logging for specific accounts, you don't expose all users. You can advise the account owner to change their keys after the debug period is over.
[Even with logging, it can still be hard to debug because the proxy-logger URL-encodes before logging and this is often the area where signature-encoding is wrong to start with]