hitachi and OEM : output REST API token
Bug #2040966 reported by
Atsushi Kawai
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Cinder |
Fix Released
|
Undecided
|
Unassigned | ||
| OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
When accessing REST API server for Hitachi, NEC V or HPE XP storages,
following two user authorization ways are existing:
- when generating a session: authorization by ID and password
- after generating the session : authorization by a token
The token is generated when generating a session, and it is valid until the session is discarded.
The bug is that the token is output to log file with DEBUG=true
on Hitachi, HPE XP and NEC V cinder drivers.
It's a security risk.
[workaround]
set ``debug = False`` in DEAULT section on cinder.conf
| description: | updated |
| description: | updated |
Revision history for this message
| Jeremy Stanley (fungi) wrote | #1 |
| information type: | Private Security → Public |
| tags: | added: security |
| Changed in ossa: | |
| status: | New → Won't Fix |
Revision history for this message
| Atsushi Kawai (atsushi-kawai-bu) wrote | #2 |
| Changed in cinder: | |
| status: | New → In Progress |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to cinder (master) | #3 |
| Changed in cinder: | |
| status: | In Progress → Fix Released |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/cinder 26.0.0.0rc1 | #4 |
To post a comment you must log in.
Thanks for reporting this!
According to the OpenStack Vulnerability Management Team's Report Taxonomy, leaks of sensitive information into logs at debug logging level are handled as security hardening opportunities (Class B3), and can be discussed and fixed in public. No security advisory will be issued, though if anyone feels a security note about this is warranted they're free to submit one.
https:/