[OSSA-2017-002] Failed notification payload is dumped in logs with auth secrets (CVE-2017-7214)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Balazs Gibizer | ||
Mitaka |
Fix Released
|
High
|
Balazs Gibizer | ||
Newton |
Fix Released
|
High
|
Balazs Gibizer | ||
Ocata |
Fix Released
|
High
|
Balazs Gibizer | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Jeremy Stanley | ||
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Mitaka |
New
|
Undecided
|
Unassigned | ||
Newton |
Fix Released
|
Undecided
|
Unassigned | ||
Ocata |
Fix Released
|
Undecided
|
Unassigned | ||
nova (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
New
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned | ||
Zesty |
Fix Released
|
Undecided
|
Unassigned | ||
Artful |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Noticed here:
I noticed this while investigating public nova bug 1673375, but it looks like that bug is caused by a ValueError coming from the oslo.messaging notification code, related to a circular reference in the json blob:
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
2017-03-16 05:31:09.399 23355 ERROR oslo_messaging.
The security issue here is that the notification payload that's logged has all kinds of auth secrets in it, like tokens and passwords.
From logstash it looks like this is only hitting master (pike) right now.
CVE References
Changed in ossa: | |
status: | Incomplete → Confirmed |
Changed in nova: | |
assignee: | nobody → Balazs Gibizer (balazs-gibizer) |
status: | Confirmed → Fix Released |
no longer affects: | oslo.messaging |
description: | updated |
Changed in ossa: | |
status: | Confirmed → In Progress |
summary: |
Failed notification payload is dumped in logs with auth secrets + (2017-7214) |
summary: |
Failed notification payload is dumped in logs with auth secrets - (2017-7214) + (CVE-2017-7214) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
summary: |
- Failed notification payload is dumped in logs with auth secrets - (CVE-2017-7214) + [OSSA-2017-002] Failed notification payload is dumped in logs with auth + secrets (CVE-2017-7214) |
Changed in ossa: | |
importance: | Undecided → Medium |
assignee: | nobody → Jeremy Stanley (fungi) |
Changed in nova (Ubuntu Artful): | |
status: | New → Fix Released |
Changed in nova (Ubuntu Zesty): | |
status: | New → Fix Released |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
If it can be confirmed for certain that the commit introducing this behavior is master-branch-only impacting then we can drop the embargo and forgo the advisory (Class Y report).