[Group.of.nepali.translators] [Bug 1673569] Re: [OSSA-2017-002] Failed notification payload is dumped in logs with auth secrets (CVE-2017-7214)

Corey Bryant Mon, 15 May 2017 05:42:09 -0700

** Also affects: cloud-archive
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/mitaka
   Importance: Undecided
       Status: New


** Also affects: cloud-archive/ocata
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/newton
   Importance: Undecided
       Status: New

** Also affects: nova (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: nova (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: nova (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: nova (Ubuntu Artful)
   Importance: Undecided
       Status: New

** Also affects: nova (Ubuntu Zesty)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1673569

Title:
  [OSSA-2017-002] Failed notification payload is dumped in logs with
  auth secrets (CVE-2017-7214)

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive mitaka series:
  New
Status in Ubuntu Cloud Archive newton series:
  New
Status in Ubuntu Cloud Archive ocata series:
  New
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) mitaka series:
  Fix Released
Status in OpenStack Compute (nova) newton series:
  Fix Released
Status in OpenStack Compute (nova) ocata series:
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released
Status in nova package in Ubuntu:
  New
Status in nova source package in Xenial:
  New
Status in nova source package in Yakkety:
  New
Status in nova source package in Zesty:
  New
Status in nova source package in Artful:
  New

Bug description:
  Noticed here:

  http://logs.openstack.org/08/445308/3/check/gate-tempest-dsvm-py35
  -ubuntu-
  xenial/7bf0d72/logs/screen-n-api.txt.gz#_2017-03-16_05_31_09_399

  I noticed this while investigating public nova bug 1673375, but it
  looks like that bug is caused by a ValueError coming from the
  oslo.messaging notification code, related to a circular reference in
  the json blob:

  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging Traceback 
(most recent call last):
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging   File 
"/usr/local/lib/python3.5/dist-packages/oslo_messaging/notify/messaging.py", 
line 70, in notify
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging     
retry=retry)
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging   File 
"/usr/local/lib/python3.5/dist-packages/oslo_messaging/transport.py", line 104, 
in _send_notification
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging     
retry=retry)
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging   File 
"/usr/local/lib/python3.5/dist-packages/oslo_messaging/_drivers/amqpdriver.py", 
line 509, in send_notification
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging     
envelope=(version == 2.0), notify=True, retry=retry)
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging   File 
"/usr/local/lib/python3.5/dist-packages/oslo_messaging/_drivers/amqpdriver.py", 
line 457, in _send
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging     msg = 
rpc_common.serialize_msg(msg)
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging   File 
"/usr/local/lib/python3.5/dist-packages/oslo_messaging/_drivers/common.py", 
line 293, in serialize_msg
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging     
_MESSAGE_KEY: jsonutils.dumps(raw_msg)}
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging   File 
"/usr/local/lib/python3.5/dist-packages/oslo_serialization/jsonutils.py", line 
190, in dumps
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging     
return json.dumps(obj, default=default, **kwargs)
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging   File 
"/usr/lib/python3.5/json/__init__.py", line 237, in dumps
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging     
**kw).encode(obj)
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging   File 
"/usr/lib/python3.5/json/encoder.py", line 198, in encode
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging     
chunks = self.iterencode(o, _one_shot=True)
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging   File 
"/usr/lib/python3.5/json/encoder.py", line 256, in iterencode
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging     
return _iterencode(o, 0)
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging 
ValueError: Circular reference detected
  2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.notify.messaging

  The security issue here is that the notification payload that's logged
  has all kinds of auth secrets in it, like tokens and passwords.

  From logstash it looks like this is only hitting master (pike) right
  now.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1673569/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to     : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1673569] Re: [OSSA-2017-002] Failed notification payload is dumped in logs with auth secrets (CVE-2017-7214)

Reply via email to