yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1458362] Re: auth_token exposure in event_type network.create.start

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1458362@xxxxxxxxxxxxxxxxxx>
Date: Wed, 11 May 2016 04:23:18 -0000
Reply-to: Bug 1458362 <1458362@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1458362

Title:
  auth_token exposure in event_type network.create.start

Status in neutron:
  Expired
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  version: devstack kilo stable
  service: neutron/rabbit message queue, ceilometer, keystone audit middleware, etc
  impact: token exposure; security vulnerability
  symptom: 
  mornitoring notifications in message queue by listening port 5672. 
  When a neutron network is created, in the messages with event_type network.create.start and network.create.end, token is exposed as:
  "_context_auth_token": "165ec7170e704d4aafc7417c60091157",
  Please note that in event_type audit.http.request, the token is masked as:
  "credential": {
  				"token": "5696 xxxxxxxx 03ba", 
  				"identity_status": "Confirmed"
  			}, 
  Which is secure by the patche on the vulnerability cve-2014-4615 at https://bugs.launchpad.net/oslo-incubator/+bug/1321080.
  So patch in pycadf is still valid, but new patch needs to be applied to events network.create.start, network.create.end, etc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1458362/+subscriptions