hitachi and OEM : output REST API token

Bug #2040966 reported by Atsushi Kawai
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
New
Undecided
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

When accessing REST API server for Hitachi, NEC V or HPE XP storages,
following two user authorization ways are existing:

- when generating a session: authorization by ID and password
- after generating the session : authorization by a token

The token is generated when generating a session, and it is valid until the session is discarded.

The bug is that the token is output to log file with DEBUG=true
on Hitachi, HPE XP and NEC V cinder drivers.
It's a security risk.

[workaround]
set ``debug = False`` in DEAULT section on cinder.conf

Tags: security
description: updated
description: updated
Revision history for this message
Jeremy Stanley (fungi) wrote :

Thanks for reporting this!

According to the OpenStack Vulnerability Management Team's Report Taxonomy, leaks of sensitive information into logs at debug logging level are handled as security hardening opportunities (Class B3), and can be discussed and fixed in public. No security advisory will be issued, though if anyone feels a security note about this is warranted they're free to submit one.

https://security.openstack.org/vmt-process.html#report-taxonomy

information type: Private Security → Public
tags: added: security
Changed in ossa:
status: New → Won't Fix
Revision history for this message
Atsushi Kawai (atsushi-kawai-bu) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.