Cinder

HDS HNAS driver logs HNAS password as plain text

Bug #1491524 reported by Tiago Pasqualini da Silva
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Undecided
Tiago Pasqualini da Silva
Cinder 7.0.0 "liberty"
Juno
Fix Released
Undecided
Unassigned
Cinder 2014.2.4
Kilo
Fix Released
Undecided
Unassigned
Cinder 2015.1.2
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

HDS HNAS driver logs every command that is sent to HNAS. Since some commands need the HNAS password, this password is being logged as plain text.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Are does command log without DEBUG ?

Changed in ossa:
status: New → Incomplete
Tiago Pasqualini da Silva (tiago.pasqualini)
information type: Private Security → Public
Revision history for this message
Erlon R. Cruz (sombrafam) wrote :

No, the passwords are shown only when DEBUG is enabled.

OpenStack Infra (hudson-openstack)
Changed in cinder:
assignee: nobody → Erlon R. Cruz (sombrafam)
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in cinder:
assignee: Erlon R. Cruz (sombrafam) → Tiago Pasqualini da Silva (tiago.pasqualini)
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

I removed the OSSA task since DEBUG leak does not yield advisory.

Changed in ossa:
status: Incomplete → Won't Fix
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/219810
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=15755b8e9a5f8019e8d19b709b86d582d8b6e0c2
Submitter: Jenkins
Branch: master

commit 15755b8e9a5f8019e8d19b709b86d582d8b6e0c2
Author: Tiago Pasqualini <email address hidden>
Date: Wed Sep 2 14:58:03 2015 -0300

    Fix HDS HNAS driver logging password as plain text

    HDS HNAS driver logs every command that is sent to HNAS. Some
    commands need the HNAS password, so the driver ends up logging
    this password as plain text. This patch changes these commands
    syntax so that oslo_utils.strutils.mask_password can successfully
    mask this password.

    Change-Id: I720701d8ee2b944ad498917f668160894f1f07cc
    Closes-Bug: #1491524

Changed in cinder:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/221470

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/221922

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on cinder (stable/kilo)

Change abandoned by Tiago Pasqualini da Silva (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/221470
Reason: Could not change Change-Id for this patch, so I sent a new one.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/kilo)

Reviewed: https://review.openstack.org/221922
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=9314616cac732fb9ec2f1dfb879c98c614226909
Submitter: Jenkins
Branch: stable/kilo

commit 9314616cac732fb9ec2f1dfb879c98c614226909
Author: Tiago Pasqualini <email address hidden>
Date: Wed Sep 2 14:58:03 2015 -0300

    Fix HDS HNAS driver logging password as plain text

    HDS HNAS driver logs every command that is sent to HNAS. Some
    commands need the HNAS password, so the driver ends up logging
    this password as plain text. This patch changes these commands
    syntax so that oslo_utils.strutils.mask_password can successfully
    mask this password.

    Conflicts:
     cinder/volume/drivers/hds/hnas_backend.py

    Change-Id: I720701d8ee2b944ad498917f668160894f1f07cc
    Closes-Bug: #1491524
    (cherry picked from commit 15755b8e9a5f8019e8d19b709b86d582d8b6e0c2)

tags: added: in-stable-kilo
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/222630

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/juno)

Reviewed: https://review.openstack.org/222630
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=7979f558a6d9eedcda6fee6cfbcc5eca93c4fc8c
Submitter: Jenkins
Branch: stable/juno

commit 7979f558a6d9eedcda6fee6cfbcc5eca93c4fc8c
Author: Tiago Pasqualini <email address hidden>
Date: Fri Sep 11 10:57:20 2015 -0300

    Fix HDS HNAS driver logging password as plain text

    HDS HNAS driver logs every command that is sent to HNAS. Some
    commands need the HNAS password, so the driver ends up logging
    this password as plain text. This patch changes these commands
    syntax so that oslo_utils.strutils.mask_password can successfully
    mask this password.

    Based on commit 15755b8e9a5f8019e8d19b709b86d582d8b6e0c2.
    Cherry-pick was not successful since the files are significantly
    different from master branch, so the changes were manually
    replicated on these files.

    Change-Id: I720701d8ee2b944ad498917f668160894f1f07cc
    Closes-Bug: #1491524

tags: added: in-stable-juno
Thierry Carrez (ttx)
Changed in cinder:
milestone: none → liberty-rc1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in cinder:
milestone: liberty-rc1 → 7.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.