[CVE-2015-3646][OSSA 2015-008] backend_argument containing a password leaked in logs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
High
|
Alexander Makarov | ||
5.1.x |
Fix Released
|
High
|
Denis Puchkin | ||
6.0.x |
Fix Released
|
High
|
Denis Puchkin | ||
6.1.x |
Fix Released
|
High
|
Alexander Makarov | ||
7.0.x |
Fix Released
|
High
|
Alexander Makarov |
Bug Description
The keystone.conf has an option backend_argument to set various options for the caching backend. As documented, some of the potential values can contain a password.
Snippet from http://
[cache]
# Global cache functionality toggle.
enabled = True
# Referring to specific cache backend
backend = keystone.
# Backend specific configuration arguments
backend_argument = db_hosts:
backend_argument = db_name:ks_cache
backend_argument = cache_collectio
backend_argument = username:test_user
backend_argument = password:
As a result, passwords can be leaked to the keystone logs since the config options is not marked secret.
CVE References
Changed in mos: | |
milestone: | none → 5.1.2 |
no longer affects: | mos/6.0.x |
tags: | added: 6.1-mu-1 |
tags: | added: feature-security |
Patch for 7.0 is already there: /review. fuel-infra. org/gitweb? p=openstack/ keystone. git;a=commit; h=86df39c01e96a d3b15e33eb6fc1b f726a0a704c5
https:/