-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nova ironic driver logs sensitive information while operating in debug mode - ---
### Summary ### The password and authentication token configuration options for the ironic driver in nova are not marked as secret. The values of these options will be logged to the standard logging output when the controller is run in debug mode. ### Affected Services / Software ### Nova, Ironic, Juno, Kilo ### Discussion ### When using nova with the ironic driver, an operator will need to specify either the password or an authentication token for the ironic admin user's keystone credentials. Under normal circumstances this is not an issue, but when running the API server with logging levels set to include the DEBUG message level these credentials will be exposed in the logs. Logging of configuration values is controlled by the `secret` flag for any oslo configuration option. Without this flag set, the value for a configuration option will be displayed in the logs. In the case of the ironic credentials, these options are not marked as secret. This presents a challenge to any operator who might have increased the log verbosity for the purposes of debugging or extended log collection. Depending on permissions and log storage location, these values could be read by an intruder to the system. The credentials will provide anyone who controls them access to the ironic API server's administrative functions. Additionally, they could be used in conjunction with OpenStack Identity functions to issue new authentication tokens or perform further malicious activity depending on the scope of the administrative account access (for example, modifying account permissions). All nova installations that have values defined for the `admin_password` or `admin_auth_token` options in the `ironic` section, and have set `debug=true` in the `DEFAULT` section of their configuration file will be affected by this issue. ### Recommended Actions ### As of the Liberty-1 release of nova, this issue has been resolved. It has also been backported to the Kilo and Juno stable releases, which can be expected in the 2015.1.1 and 2014.2.4 tags, respectively. Where possible, nova deployments should be updated to one of these releases: Liberty-1, 2015.1.1 (Kilo), or 2014.2.4 (Juno). If updating the nova deployment is not feasible, operators should turn off the debug logging level whenever it is not in use and ensure that log files produced from those debug sessions are stored securely. To disable the debug log level, the nova configuration file should be editted as follows: [DEFAULT] debug = False ### Contacts / References ### This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0049 Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1451931 OpenStack Security ML : openstack-secur...@lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg Oslo Config Special Handling Instructions: http://docs.openstack.org/developer/oslo.config/cfg.html#special-handling-instructions -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVm9gAAAoJEJa+6E7Ri+EVkzAH/iAtDU+hKkqkneVD4iLZQqT9 w+tjkUqX8ACcpbTrvkcOFIWUqR4IlwRN2f7bA8foSVgf1uxCg13BLZm9/C2WcjAa ITvWYbnEV9dpuEtphmcGMqdf+34tJL5E58qYDFA1uapVsEDlymAs5IrW9Lhtw0Ap 70ZXaba1Bmm8JJ6BNJeqYcVwDJhIFNW3dzScXitLduStJXJmxqnIzazes2P7yyq2 7KsKumihgrOX5i94tjpXr5zn6hla3eF7Bew1WPl99GDtSxx4+1Kb68EWwgdDaCYB AdLfPiZwqlFux3chpzDf16KjGlwmeYUQLL0H6rdT2tZRCmAypevojTQGMjiOmnk= =hsXW -----END PGP SIGNATURE----- _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack