[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
** Tags removed: sts-sru-needed ** Tags added: sts-sru-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
This bug was fixed in the package ceilometer - 1:10.0.1-0ubuntu0.18.04.2~cloud0 --- ceilometer (1:10.0.1-0ubuntu0.18.04.2~cloud0) xenial-queens; urgency=medium . * New update for the Ubuntu Cloud Archive. . ceilometer (1:10.0.1-0ubuntu0.18.04.2) bionic; urgency=medium . * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098) - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch ** Changed in: cloud-archive/queens Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
queens-proposed verified using [Test Case]. ** Tags removed: verification-queens-needed ** Tags added: verification-queens-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
This bug was fixed in the package ceilometer - 1:11.0.1-0ubuntu2~cloud0 --- ceilometer (1:11.0.1-0ubuntu2~cloud0) bionic-rocky; urgency=medium . * New update for the Ubuntu Cloud Archive. . ceilometer (1:11.0.1-0ubuntu2) cosmic; urgency=medium . * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098) - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch ** Changed in: cloud-archive/rocky Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
** Changed in: cloud-archive/stein Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
This bug was fixed in the package ceilometer - 1:10.0.1-0ubuntu0.18.04.2 --- ceilometer (1:10.0.1-0ubuntu0.18.04.2) bionic; urgency=medium * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098) - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch -- Edward Hope-Morley Fri, 11 Jan 2019 18:16:31 + ** Changed in: ceilometer (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
This flaw has been assigned as CVE-2019-3830 https://access.redhat.com/security/cve/cve-2019-3830 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-3830 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
This bug was fixed in the package ceilometer - 1:11.0.1-0ubuntu2 --- ceilometer (1:11.0.1-0ubuntu2) cosmic; urgency=medium * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098) - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch -- Edward Hope-Morley Fri, 11 Jan 2019 18:14:54 + ** Changed in: ceilometer (Ubuntu Cosmic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
A CVE can be requested by anyone for any defect. The OpenStack VMT doesn't generally request CVEs for projects it doesn't oversee, but we have a brief overview of what we'd generally recommend putting in MITRE's CVE Request form documented at https://security.openstack.org /vmt-process.html#send-cve-request if you're interested in following a similar process. Note that for an already-public report like this one, there are fewer bits to worry about (the process documentation attempts to call out the difference between what you'd do for still private embargoed reports vs already public reports). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
I agree with VMT's rating of class A. Will a CVE be requested for this? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
rocky-proposed verified using [Test Case]. ** Tags removed: verification-needed verification-rocky-needed ** Tags added: verification-done verification-rocky-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
bionic-proposed verified using [Test Case]. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
cosmic-proposed verified using [Test Case]. ** Tags removed: verification-needed-cosmic ** Tags added: verification-done-cosmic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
Hello Edward, or anyone else affected, Accepted ceilometer into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ceilometer/1:11.0.1-0ubuntu2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Information type changed from Private Security to Public Security ** Changed in: ceilometer (Ubuntu Cosmic) Status: Triaged => Fix Committed ** Tags added: verification-needed verification-needed-cosmic ** Changed in: ceilometer (Ubuntu Bionic) Status: Triaged => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
Note there is a public fix proposed for this issue. ** Also affects: cloud-archive/queens Importance: Undecided Status: New ** Also affects: cloud-archive/rocky Importance: Undecided Status: New ** Also affects: cloud-archive/stein Importance: Undecided Status: New ** Also affects: ceilometer (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: ceilometer (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: ceilometer (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: cloud-archive/ocata Importance: Undecided Status: New ** Also affects: cloud-archive/pike Importance: Undecided Status: New ** Changed in: cloud-archive/ocata Importance: Undecided => High ** Changed in: cloud-archive/ocata Status: New => Triaged ** Changed in: cloud-archive/pike Importance: Undecided => High ** Changed in: cloud-archive/pike Status: New => Triaged ** Changed in: cloud-archive/queens Importance: Undecided => High ** Changed in: cloud-archive/queens Status: New => Triaged ** Changed in: cloud-archive/rocky Importance: Undecided => High ** Changed in: cloud-archive/rocky Status: New => Triaged ** Changed in: cloud-archive/stein Importance: Undecided => High ** Changed in: cloud-archive/stein Status: New => Triaged ** Changed in: ceilometer (Ubuntu Bionic) Importance: Undecided => High ** Changed in: ceilometer (Ubuntu Bionic) Status: New => Triaged ** Changed in: ceilometer (Ubuntu Cosmic) Importance: Undecided => High ** Changed in: ceilometer (Ubuntu Cosmic) Status: New => Triaged ** Changed in: ceilometer (Ubuntu Disco) Importance: Undecided => High ** Changed in: ceilometer (Ubuntu Disco) Status: New => Triaged ** Information type changed from Public to Private Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
** Description changed:
+ [Impact]
+ This SRU proposal is to patch the Ubuntu ceilometer package so that the
ceilometer-agent switches printing the contents of polling.yaml from INFO to
DEBUG. This is mostly an interim fix to make it easy to stop the presence of
sensitive data in the ceilometer logfiles when DEBUG logging is not activated.
Another bug will be raised to propose sanitising the data printed.
+
+ [Test Case]
+ * deploy Openstack Q/R/S with ceilometer
+ * enable debug logging
+ * check that /var/log/ceilometer/ceilometer-agent-central.log contains a line
similar to:
+
+ 2019-01-09 11:40:50.641 25495 DEBUG ceilometer.agent [-] Config file:
+ {'sources': [{'interval': 300, 'meters'...
+
+ i.e. ensure that the log is printed using DEBUG (not INFO)
+
+ [Regression Potential]
+ Users with debug mode disabled will no longer see this line.
+
+
+
The ceilometer-agent-central is always writing the contents of
polling.yaml to its log file (and as INFO) [1]
This presents a security risk if e.g. resources contain sensitive
information like when specifying snmp targets with the url containing
the username, password etc.
There are a couple of ways we could solve this, namely; (1) don't log
this info at all, (2) sanitise the contents prior to logging as DEBUG
(3) switch to using config for the snmp credentials in a similar way to
how the Triple0Discoverer does it [2] - this would only support having
the same creds everywhere thought which may not be desirable.
[1]
https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/agent.py#L70
[2]
https://github.com/openstack/ceilometer/blob/stable/rocky/ceilometer/hardware/discovery.py#L24
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1811098
Title:
[SRU] ceilometer writing snmp credentials to log file
To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811098] Re: [SRU] ceilometer writing snmp credentials to log file
The attachment "lp1811098-stein.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811098 Title: [SRU] ceilometer writing snmp credentials to log file To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1811098/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
