yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1327019] Re: OpenStack shell print credentials by default in debug mode

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Xu Han Peng <pengxuhan@xxxxxxxxx>
Date: Tue, 10 Jun 2014 07:47:06 -0000
Reply-to: Bug 1327019 <1327019@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Description changed:

- neutron client shell set log_credentials to True for debugging purpose:
+ OpenStack shell client prints credential information (user password and
+ user token) by default in debug mode.
  
- https://github.com/openstack/python-
- neutronclient/blame/master/neutronclient/shell.py#L643
+ For example:
  
- Although the credentials are not logged, it's still vulnerable to print
- sensitive information (user password and token) to the shell when there
- is no configuration to neutron client to close this feature.
+ neutron --debug net-list
+ DEBUG: neutronclient.neutron.v2_0.network.ListNetwork get_data(Namespace(columns=[], fields=[], formatter='table', page_size=None, quote_mode='nonnumeric', request_format='json', show_details=False, sort_dir=[], sort_key=[]))
+ DEBUG: neutronclient.client 
+ REQ: curl -i http://10.9.0.51:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" -d '{"auth": {"tenantName": "service", "passwordCredentials": {"username": "admin", "password": "openstack1"}}}'
  
- Suggest to add one options such as --show-credential (default to false)
- when --debug mode is on to prevent printing token and password by
- default.
+ 
+ Other components also has the credentials in debug mode. 
+ 
+ This behavior exposes a vulnerability to print sensitive information by
+ shell when user didn't expect so.

** Also affects: nova
   Importance: Undecided
       Status: New

** No longer affects: nova

** Also affects: python-novaclient
   Importance: Undecided
       Status: New

** Also affects: python-heatclient
   Importance: Undecided
       Status: New

** Also affects: python-glanceclient
   Importance: Undecided
       Status: New

** Also affects: python-cinderclient
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1327019

Title:
  OpenStack shell print credentials by default in debug mode

Status in OpenStack Security Advisories:
  Won't Fix
Status in Python client library for Cinder:
  New
Status in Python client library for Glance:
  New
Status in Python client library for heat:
  New
Status in Python client library for Neutron:
  New
Status in Python client library for Nova:
  New

Bug description:
  OpenStack shell client prints credential information (user password
  and user token) by default in debug mode.

  For example:

  neutron --debug net-list
  DEBUG: neutronclient.neutron.v2_0.network.ListNetwork get_data(Namespace(columns=[], fields=[], formatter='table', page_size=None, quote_mode='nonnumeric', request_format='json', show_details=False, sort_dir=[], sort_key=[]))
  DEBUG: neutronclient.client 
  REQ: curl -i http://10.9.0.51:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" -d '{"auth": {"tenantName": "service", "passwordCredentials": {"username": "admin", "password": "openstack1"}}}'

  
  Other components also has the credentials in debug mode. 

  This behavior exposes a vulnerability to print sensitive information
  by shell when user didn't expect so.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1327019/+subscriptions