yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1443598] [NEW] backend_argument containing a password leaked in logs

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Eric Brown <browne@xxxxxxxxxx>
Date: Mon, 13 Apr 2015 18:49:53 -0000
Reply-to: Bug 1443598 <1443598@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Public security bug reported:

The keystone.conf has an option backend_argument to set various options
for the caching backend.  As documented, some of the potential values
can contain a password.

Snippet from
http://docs.openstack.org/developer/keystone/developing.html#dogpile-
cache-based-mongodb-nosql-backend

[cache]
# Global cache functionality toggle.
enabled = True

# Referring to specific cache backend
backend = keystone.cache.mongo

# Backend specific configuration arguments
backend_argument = db_hosts:localhost:27017
backend_argument = db_name:ks_cache
backend_argument = cache_collection:cache
backend_argument = username:test_user
backend_argument = password:test_password

As a result, passwords can be leaked to the keystone logs since the
config options is not marked secret.

** Affects: keystone
     Importance: Undecided
     Assignee: Eric Brown (ericwb)
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1443598

Title:
  backend_argument containing a password leaked in logs

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  The keystone.conf has an option backend_argument to set various
  options for the caching backend.  As documented, some of the potential
  values can contain a password.

  Snippet from
  http://docs.openstack.org/developer/keystone/developing.html#dogpile-
  cache-based-mongodb-nosql-backend

  [cache]
  # Global cache functionality toggle.
  enabled = True

  # Referring to specific cache backend
  backend = keystone.cache.mongo

  # Backend specific configuration arguments
  backend_argument = db_hosts:localhost:27017
  backend_argument = db_name:ks_cache
  backend_argument = cache_collection:cache
  backend_argument = username:test_user
  backend_argument = password:test_password

  As a result, passwords can be leaked to the keystone logs since the
  config options is not marked secret.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1443598/+subscriptions

Follow ups

[Bug 1443598] Re: [OSSA 2015-008] backend_argument containing a password leaked in logs (CVE-2015-3646)
From: Alan Pevec, 2015-11-19
[Bug 1443598] Re: [OSSA 2015-008] backend_argument containing a password leaked in logs (CVE-2015-3646)
From: Doug Hellmann, 2015-06-23
[Bug 1443598] Re: [OSSA 2015-008] backend_argument containing a password leaked in logs (CVE-2015-3646)
From: Alan Pevec, 2015-06-19
[Bug 1443598] Re: [OSSA 2015-008] backend_argument containing a password leaked in logs (CVE-2015-3646)
From: Tristan Cacqueray, 2015-05-27
[Bug 1443598] Re: backend_argument containing a password leaked in logs
From: Thierry Carrez, 2015-04-23
[Bug 1443598] Re: backend_argument containing a password leaked in logs
From: Jeremy Stanley, 2015-04-13
[Bug 1443598] Re: backend_argument containing a password leaked in logs
From: Dolph Mathews, 2015-04-13
[Bug 1443598] [NEW] backend_argument containing a password leaked in logs
From: Eric Brown, 2015-04-13

References

[Bug 1443598] [NEW] backend_argument containing a password leaked in logs
From: Eric Brown, 2015-04-13