security-doc/security-notes/OSSN-0024
Luke Hinds 1bf55f1eb0 Added Authors to Security Notes
All OSSN authors, added under the "Author:" metadata field

Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a
Closes-Bug: #1599064
2016-07-11 10:51:07 +00:00

80 lines
3.4 KiB
Plaintext

Sensitive data is exposed in log statements by python-keystoneclient
---
### Summary ###
Python-keystoneclient is a client tool for the OpenStack Identity API,
which is implemented by the Keystone project. Various OpenStack services
including the OpenStack Dashboard depend on python-keystoneclient to
consume the OpenStack Identity API service. A particular log level
setting in python-keystoneclient can lead to exposure of user sensitive
data (e.g., passwords or tokens) in log statements.
### Affected Services / Software ###
Python-keystoneclient=<0.10.0
### Discussion ###
Python-keystoneclient provides an interface for making Identity API
requests to the OpenStack Identity Service, Keystone.
Python-keystoneclient handles user sensitive data such as user passwords
and tokens when sending requests or receiving responses from a Keystone
server. Like all OpenStack projects, python-keystoneclient uses a python
logger to log request/response activities. When python-keystoneclient
runs with the DEBUG log level enabled, sensitive data such as user
passwords and tokens associated with requests/responses will be exposed
in log statements. For example:
---- begin example ----
$ keystone --debug user-list
DEBUG:keystoneclient.session:REQ: curl -i -X POST
http://10.0.0.15:5000/v2.0/tokens -H "Content-Type:application/json"
-H "User-Agent: python-keystoneclient"
DEBUG:keystoneclient.session:REQ BODY: {"auth": {"tenantName": "admin",
"passwordCredentials": {"username": "admin", "password": "stack"
}}}
---- end example ----
This sensitive data can potentially be exploited by an attacker with
access to the log statements.
Python-keystoneclient is used by Horizon and other Identity consuming
services to authenticate a user against the Identity API service,
Keystone. A user providing password or token for authentication to these
services could result in the capture of this sensitive data in the
respective services log statements.
### Recommended Actions ###
Version 0.10.1 of python-keystoneclient has addressed this issue by not
exposing user password and token information in log statements. Any
service using version 0.10.1 or later of python-keystoneclient is not
affected by this issue. Other services using old versions, should
upgrade to a fixed version of python-keystoneclient.
For a fresh installation of a service which depends on
pythone-keystoneclient, make sure it uses at least version 0.10.1 of
python-keystoneclient. One way to do this is to set a specific version
in the requirments.txt file. For example, in Horizon, update
horizon/requirements.txt file:
---- begin example ----
python-keystoneclient>=0.10.1
---- end example ----
For existing installations, upgrade python-keystoneclient to the
latest version. For example, python package manager (PIP) can be used
to upgrade the existing installations.
---- begin example ----
$ pip install python-keystoneclient --upgrade
---- end example ----
An alternate approach is to never run a production system with the log
level in DEBUG mode.
### Contacts / References ###
Author: Abu Shohel Ahmed, Ericsson
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0024
Original Launchpad Bug: https://bugs.launchpad.net/python-keystoneclient/+bug/1004114
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1004114
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg