-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nova ironic driver logs sensitive information while operating in debug
mode
- ---

### Summary ###
The password and authentication token configuration options for the
ironic driver in nova are not marked as secret. The values of these
options will be logged to the standard logging output when the
controller is run in debug mode.

### Affected Services / Software ###
Nova, Ironic, Juno, Kilo

### Discussion ###
When using nova with the ironic driver, an operator will need to specify
either the password or an authentication token for the ironic admin
user's keystone credentials. Under normal circumstances this is not an
issue, but when running the API server with logging levels set to
include the DEBUG message level these credentials will be exposed in
the logs.

Logging of configuration values is controlled by the `secret` flag for
any oslo configuration option. Without this flag set, the value for a
configuration option will be displayed in the logs. In the case of the
ironic credentials, these options are not marked as secret.

This presents a challenge to any operator who might have increased the
log verbosity for the purposes of debugging or extended log collection.
Depending on permissions and log storage location, these values could
be read by an intruder to the system. The credentials will provide
anyone who controls them access to the ironic API server's
administrative functions. Additionally, they could be used in
conjunction with OpenStack Identity functions to issue new
authentication tokens or perform further malicious activity depending
on the scope of the administrative account access (for example,
modifying account permissions).

All nova installations that have values defined for the
`admin_password` or `admin_auth_token` options in the `ironic` section,
and have set `debug=true` in the `DEFAULT` section of their
configuration file will be affected by this issue.

### Recommended Actions ###
As of the Liberty-1 release of nova, this issue has been resolved.
It has also been backported to the Kilo and Juno stable releases, which
can be expected in the 2015.1.1 and 2014.2.4 tags, respectively.

Where possible, nova deployments should be updated to one of these
releases: Liberty-1, 2015.1.1 (Kilo), or 2014.2.4 (Juno).

If updating the nova deployment is not feasible, operators should
turn off the debug logging level whenever it is not in use and ensure
that log files produced from those debug sessions are stored securely.
To disable the debug log level, the nova configuration file should be
editted as follows:

    [DEFAULT]
    debug = False

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0049
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1451931
OpenStack Security ML : openstack-secur...@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Oslo Config Special Handling Instructions:
http://docs.openstack.org/developer/oslo.config/cfg.html#special-handling-instructions
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVm9gAAAoJEJa+6E7Ri+EVkzAH/iAtDU+hKkqkneVD4iLZQqT9
w+tjkUqX8ACcpbTrvkcOFIWUqR4IlwRN2f7bA8foSVgf1uxCg13BLZm9/C2WcjAa
ITvWYbnEV9dpuEtphmcGMqdf+34tJL5E58qYDFA1uapVsEDlymAs5IrW9Lhtw0Ap
70ZXaba1Bmm8JJ6BNJeqYcVwDJhIFNW3dzScXitLduStJXJmxqnIzazes2P7yyq2
7KsKumihgrOX5i94tjpXr5zn6hla3eF7Bew1WPl99GDtSxx4+1Kb68EWwgdDaCYB
AdLfPiZwqlFux3chpzDf16KjGlwmeYUQLL0H6rdT2tZRCmAypevojTQGMjiOmnk=
=hsXW
-----END PGP SIGNATURE-----

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to