openstack/security-doc
Code Issues Proposed changes
6f68b1e891
security-doc/security-notes/OSSN-0049
Luke Hinds 1bf55f1eb0 Added Authors to Security Notes 
All OSSN authors, added under the "Author:" metadata field

Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a
Closes-Bug: #1599064
2016-07-11 10:51:07 +00:00

66 lines
3.0 KiB
Plaintext
Raw Blame History

Nova ironic driver logs sensitive information while operating in debug mode
---
### Summary ###
The password and authentication token configuration options for the
ironic driver in nova are not marked as secret. The values of these
options will be logged to the standard logging output when the
controller is run in debug mode.
### Affected Services / Software ###
Nova, Ironic, Juno, Kilo
### Discussion ###
When using nova with the ironic driver, an operator will need to specify
either the password or an authentication token for the ironic admin
user's keystone credentials. Under normal circumstances this is not an
issue, but when running the API server with logging levels set to
include the DEBUG message level these credentials will be exposed in
the logs.
Logging of configuration values is controlled by the `secret` flag for
any oslo configuration option. Without this flag set, the value for a
configuration option will be displayed in the logs. In the case of the
ironic credentials, these options are not marked as secret.
This presents a challenge to any operator who might have increased the
log verbosity for the purposes of debugging or extended log collection.
Depending on permissions and log storage location, these values could
be read by an intruder to the system. The credentials will provide
anyone who controls them access to the ironic API server's
administrative functions. Additionally, they could be used in
conjunction with OpenStack Identity functions to issue new
authentication tokens or perform further malicious activity depending
on the scope of the administrative account access (for example,
modifying account permissions).
All nova installations that have values defined for the
`admin_password` or `admin_auth_token` options in the `ironic` section,
and have set `debug=true` in the `DEFAULT` section of their
configuration file will be affected by this issue.
### Recommended Actions ###
As of the Liberty-1 release of nova, this issue has been resolved.
It has also been backported to the Kilo and Juno stable releases, which
can be expected in the 2015.1.1 and 2014.2.4 tags, respectively.
Where possible, nova deployments should be updated to one of these
releases: Liberty-1, 2015.1.1 (Kilo), or 2014.2.4 (Juno).
If updating the nova deployment is not feasible, operators should
turn off the debug logging level whenever it is not in use and ensure
that log files produced from those debug sessions are stored securely.
To disable the debug log level, the nova configuration file should be
editted as follows:
[DEFAULT]
debug = False
### Contacts / References ###
Author: Michael McCune, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0049
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1451931
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Oslo Config Special Handling Instructions: http://docs.openstack.org/developer/oslo.config/cfg.html#special-handling-instructions
View Git Blame Copy Permalink