Reviewed: https://review.opendev.org/674821 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=298b337a16c0d10916b4431c436d19b3d6f5360e Submitter: Zuul Branch: master
commit 298b337a16c0d10916b4431c436d19b3d6f5360e Author: Matt Riedemann <mriedem...@gmail.com> Date: Fri Jul 26 10:53:02 2019 -0400 Replace non-nova server fault message The server fault "message" is always shown in the API server response, regardless of policy or user role. The fault "details" are only shown to users with the admin role when the fault code is 500. The problem with this is for non-nova exceptions, the fault message is a string-ified version of the exception (see nova.compute.utils.exception_to_dict) which can contain sensitive information which the non-admin owner of the server can see. This change adds a functional test to recreate the issue and a change to exception_to_dict which for the non-nova case changes the fault message by simply storing the exception type class name. Admins can still see the fault traceback in the "details" key of the fault dict in the server API response. Note that _get_fault_details is changed so that the details also includes the exception value which is what used to be in the fault message for non-nova exceptions. This is necessary so admins can still get the exception message with the traceback details. Note that nova exceptions with a %(reason)s replacement variable could potentially be leaking sensitive details as well but those would need to be cleaned up on a case-by-case basis since we don't want to change the behavior of all fault messages otherwise users might not see information like NoValidHost when their server goes to ERROR status during scheduling. SecurityImpact: This change contains a fix for CVE-2019-14433. Change-Id: I5e0a43ec59341c9ac62f89105ddf82c4a014df81 Closes-Bug: #1837877 ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1837877 Title: [OSSA-2019-003] Nova Server Resource Faults Leak External Exception Details (CVE-2019-14433) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) ocata series: In Progress Status in OpenStack Compute (nova) pike series: In Progress Status in OpenStack Compute (nova) queens series: In Progress Status in OpenStack Compute (nova) rocky series: In Progress Status in OpenStack Compute (nova) stein series: In Progress Status in OpenStack Security Advisory: Fix Committed Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. It would appear Nova is revealing information that may be sensitive in error messages http://lists.openstack.org/pipermail/openstack- infra/2019-July/006426.html I attempted to hard-reboot it, and it went into an error state. The initial error in the server status was {'message': 'Timed out during operation: cannot acquire state change lock (held by monitor=remoteDispatchDomainCreateWithFlags)', 'code': 500, 'created': '2019-07-25T07:25:25Z'} After a short period, I tried again and got a different error state {'message': "internal error: process exited while connecting to monitor: lc=,keyid=masterKey0,iv=jHURYcYDkXqGBu4pC24bew==,format=base64 -drive 'file=rbd:volumes/volume- 41553c15-6b12-4137-a318-7caf6a9eb44c:id=cinder:auth_supported=cephx\\;none:mon_host=172.24.0.56\\:6789", 'code': 500, 'created': '2019-07-25T07:27:21Z'} I don't know if this is a setting or a bug. Better to report and close than not say anything I guess. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1837877/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp