Mirantis OpenStack

[CVE-2015-3646][OSSA 2015-008] backend_argument containing a password leaked in logs

Bug #1469149 reported by Alexander Makarov on 2015-06-26

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Fix Released	High	Alexander Makarov	Mirantis OpenStack 7.0
5.1.x	Fix Released	High	Denis Puchkin	Mirantis OpenStack 5.1.1-mu-2
6.0.x	Fix Released	High	Denis Puchkin	Mirantis OpenStack 6.0-mu-7
6.1.x	Fix Released	High	Alexander Makarov	Mirantis OpenStack 6.1-mu-1
7.0.x	Fix Released	High	Alexander Makarov	Mirantis OpenStack 7.0

Bug Description

The keystone.conf has an option backend_argument to set various options for the caching backend. As documented, some of the potential values can contain a password.

Snippet from http://docs.openstack.org/developer/keystone/developing.html#dogpile-cache-based-mongodb-nosql-backend

[cache]
# Global cache functionality toggle.
enabled = True

# Referring to specific cache backend
backend = keystone.cache.mongo

# Backend specific configuration arguments
backend_argument = db_hosts:localhost:27017
backend_argument = db_name:ks_cache
backend_argument = cache_collection:cache
backend_argument = username:test_user
backend_argument = password:test_password

As a result, passwords can be leaked to the keystone logs since the config options is not marked secret.

Tags:

CVE References

2015-3646

Alexander Makarov (amakarov) on 2015-06-26

Changed in mos:
milestone:	none → 5.1.2
no longer affects:	mos/6.0.x

Revision history for this message

Alexander Makarov (amakarov) wrote on 2015-06-26:

Patch for 7.0 is already there:
https://review.fuel-infra.org/gitweb?p=openstack/keystone.git;a=commit;h=86df39c01e96ad3b15e33eb6fc1bf726a0a704c5

Revision history for this message

Alexander Makarov (amakarov) wrote on 2015-06-26:

https://review.fuel-infra.org/#/c/8523/ for 6.2
https://review.fuel-infra.org/#/c/8522/ for 5.1.2

Revision history for this message

Alexander Makarov (amakarov) wrote on 2015-06-26:

https://review.fuel-infra.org/#/c/8525/ for 6.1

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-06-26: Change abandoned on openstack/keystone (openstack-ci/fuel-6.2/2014.2)

Change abandoned by Alexander Makarov <email address hidden> on branch: openstack-ci/fuel-6.2/2014.2
Review: https://review.fuel-infra.org/8523
Reason: 6.2 appears dead

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-06-26: Fix merged to openstack/keystone (openstack-ci/fuel-6.1/2014.2)

Reviewed: https://review.fuel-infra.org/8525
Submitter: mos-infra-ci <>
Branch: openstack-ci/fuel-6.1/2014.2

Commit: 5680bfc7966800c4b04d88f3c59c2a6cf7e8771e
Author: Eric Brown <email address hidden>
Date: Fri Jun 26 13:02:52 2015

backend_argument should be marked secret

Since the backend_argument can potentially contain a password,
it should be marked secret to avoid leakage into the logs.

Closes-Bug: #1469149

Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
(cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-06-26: Fix proposed to openstack/keystone (openstack-ci/fuel-6.0.1/2014.2)

Fix proposed to branch: openstack-ci/fuel-6.0.1/2014.2
Change author: Eric Brown <email address hidden>
Review: https://review.fuel-infra.org/8533

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-06-26: Fix merged to openstack/keystone (openstack-ci/fuel-6.0.1/2014.2)

Reviewed: https://review.fuel-infra.org/8533
Submitter: Alexander Makarov <email address hidden>
Branch: openstack-ci/fuel-6.0.1/2014.2

Commit: 20815522742b188886ec7127f57c8c7b4535eaa1
Author: Eric Brown <email address hidden>
Date: Fri Jun 26 14:31:10 2015

backend_argument should be marked secret

Since the backend_argument can potentially contain a password,
it should be marked secret to avoid leakage into the logs.

Closes-Bug: #1469149

Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
(cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)
(cherry picked from commit 5680bfc7966800c4b04d88f3c59c2a6cf7e8771e)

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-06-26: Fix merged to openstack/keystone (openstack-ci/fuel-5.1.2/2014.1.1)

Reviewed: https://review.fuel-infra.org/8522
Submitter: Alexander Makarov <email address hidden>
Branch: openstack-ci/fuel-5.1.2/2014.1.1

Commit: 67d8ccb78b59e554be5d66641f022e96faa907a4
Author: Eric Brown <email address hidden>
Date: Fri Jun 26 15:18:50 2015

backend_argument should be marked secret

Since the backend_argument can potentially contain a password,
it should be marked secret to avoid leakage into the logs.

Closes-Bug: #1469149

Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
(cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

Vladimir Kuklin (vkuklin) on 2015-06-30

tags:

added: 6.1-mu-1

Revision history for this message

Vitaly Sedelnik (vsedelnik) wrote on 2015-07-07:

Link to review for errata in patching-tests repo - https://review.fuel-infra.org/#/c/9085/

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-08: Fix merged to patching-tests (stable/6.1)

#10

Reviewed: https://review.fuel-infra.org/9085
Submitter: Vitaly Sedelnik <email address hidden>
Branch: stable/6.1

Commit: 3e5dcda776412f4cf80c1bf985edabb20f3551f6
Author: Alex Ermolov <email address hidden>
Date: Wed Jul 8 10:22:37 2015

[CVE-2015-3646][OSSA 2015-008] backend_argument containing a password leaked in logs

Closes-Bug: #1469149
Change-Id: Ia0e441a6c7ddbbac915d3e95c4854fdd312dca4b

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-10:

#11

Reviewed: https://review.fuel-infra.org/9180
Submitter: Vitaly Sedelnik <email address hidden>
Branch: stable/6.1

Commit: 7b892ff033aa0551a1d0a5aafad35574a08aab32
Author: Alex Ermolov <email address hidden>
Date: Thu Jul 9 15:57:34 2015

backend_argument containing a password leaked in logs

Closes-Bug: #1469149
Change-Id: If8f92c005715a45a3a7edc3b0cf79efe2fc7164b

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-13: Fix proposed to patching-tests (stable/6.1)

#12

Fix proposed to branch: stable/6.1
Change author: Alexey Shtokolov <email address hidden>
Review: https://review.fuel-infra.org/9274

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-13: Fix merged to patching-tests (stable/6.1)

#13

Reviewed: https://review.fuel-infra.org/9274
Submitter: Alexey Shtokolov <email address hidden>
Branch: stable/6.1

Commit: 546b2e18bb12898b7a96d0cf8dfcf8de1afec596
Author: Alexey Shtokolov <email address hidden>
Date: Mon Jul 13 15:02:01 2015

Closes-Bug: #1469149

Change-Id: Ifeb32c447f7c011f0c10f68b724dc0f927f8a937

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-13: Fix proposed to patching-tests (stable/6.1)

#14

Fix proposed to branch: stable/6.1
Change author: Alexey Shtokolov <email address hidden>
Review: https://review.fuel-infra.org/9278

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-13: Fix merged to patching-tests (stable/6.1)

#15

Reviewed: https://review.fuel-infra.org/9278
Submitter: Alexey Shtokolov <email address hidden>
Branch: stable/6.1

Commit: 5b5014c5697019f5cc8c93bb0ebcaba84936f49c
Author: Alexey Shtokolov <email address hidden>
Date: Mon Jul 13 15:30:55 2015

Closes-Bug: #1469149
bug/1469149

Change-Id: I788529a52e25bec6a7f31a3d4e011b47a48bd65b

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-16: Fix proposed to patching-tests (stable/6.1)

#16

Fix proposed to branch: stable/6.1
Change author: Vitaly Gusev <email address hidden>
Review: https://review.fuel-infra.org/9427

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-16: Fix merged to patching-tests (stable/6.1)

#17

Reviewed: https://review.fuel-infra.org/9427
Submitter: Vitaly Sedelnik <email address hidden>
Branch: stable/6.1

Commit: e05be584a0df0b6803e93768f1e3aebb04ef1827
Author: Vitaly Gusev <email address hidden>
Date: Thu Jul 16 14:04:37 2015

backend_argument containing a password leaked in logs

Change-Id: I40caeb4fda5905b216d343ece5937e95908b0d1b
Closes-Bug: #1469149

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-21: Related fix proposed to patching-tests (stable/6.1)

#18

Related fix proposed to branch: stable/6.1
Change author: Vitaly Sedelnik <email address hidden>
Review: https://review.fuel-infra.org/9703

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-21: Related fix merged to patching-tests (stable/6.1)

#19

Reviewed: https://review.fuel-infra.org/9703
Submitter: Vitaly Sedelnik <email address hidden>
Branch: stable/6.1

Commit: 896336bfc52269ffa59fa77e08f2a5517c873d03
Author: Vitaly Sedelnik <email address hidden>
Date: Tue Jul 21 13:28:26 2015

Replace reboot with restarting keystone

For bug 1469149 restarting keystone is enough to apply the fix,
rebooting entire cluster is not needed.

Related-Bug: #1469149

Change-Id: Ibd771ccaec7f9fdd6c22279b00acd9c395412e0f

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-21: Related fix proposed to patching-tests (stable/6.1)

#20

Related fix proposed to branch: stable/6.1
Change author: Vitaly Sedelnik <email address hidden>
Review: https://review.fuel-infra.org/9724

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-07-21: Related fix merged to patching-tests (stable/6.1)

#21

Reviewed: https://review.fuel-infra.org/9724
Submitter: Vitaly Sedelnik <email address hidden>
Branch: stable/6.1

Commit: 32d647cbea49ed370b3e5f89602adfe9d288e65b
Author: Vitaly Sedelnik <email address hidden>
Date: Tue Jul 21 17:03:31 2015

Update keystone on controllers only

Related-Bug: #1469149

Change-Id: Icc0e067205aa7c56a8d684f572671a6a5a431847

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-10-23: Fix proposed to openstack/keystone (openstack-ci/fuel-5.1.1-updates/2014.1.1)

#22

Fix proposed to branch: openstack-ci/fuel-5.1.1-updates/2014.1.1
Change author: Eric Brown <email address hidden>
Review: https://review.fuel-infra.org/13122

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-10-23: Fix proposed to openstack/keystone (openstack-ci/fuel-6.0-updates/2014.2)

#23

Fix proposed to branch: openstack-ci/fuel-6.0-updates/2014.2
Change author: Eric Brown <email address hidden>
Review: https://review.fuel-infra.org/13123

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-11-04: Fix merged to openstack/keystone (openstack-ci/fuel-5.1.1-updates/2014.1.1)

#24

Reviewed: https://review.fuel-infra.org/13122
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-5.1.1-updates/2014.1.1

Commit: cca5c6d41a0bcb7b5a22c052589cf17576683b5d
Author: Eric Brown <email address hidden>
Date: Fri Oct 23 13:14:23 2015

backend_argument should be marked secret

Since the backend_argument can potentially contain a password,
it should be marked secret to avoid leakage into the logs.

Closes-Bug: #1469149

Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
(cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2015-11-06: Fix merged to openstack/keystone (openstack-ci/fuel-6.0-updates/2014.2)

#25

Reviewed: https://review.fuel-infra.org/13123
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-6.0-updates/2014.2

Commit: 1e5b2e4745fbeb8edb9ec2492f2b3f09416b4318
Author: Eric Brown <email address hidden>
Date: Fri Oct 23 13:15:58 2015

backend_argument should be marked secret

Since the backend_argument can potentially contain a password,
it should be marked secret to avoid leakage into the logs.

Closes-Bug: #1469149

Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
(cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-11-13:

#26

Verified on 5.1.1

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-11-27:

#27

Verified on 6.0
packages:
keystone,python-keystone
version:
1:2014.2-fuel6.0~mira18

Adam Heczko (aheczko-mirantis) on 2016-06-21

tags:

added: feature-security

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.