yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1686743] Re: Ceph credentials included in logs using older libvirt/qemu

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Luke Hinds <lhinds@xxxxxxxxxx>
Date: Thu, 27 Jul 2017 16:55:31 -0000
Reply-to: Bug 1686743 <1686743@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: ossn
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1686743

Title:
  Ceph credentials included in logs using older libvirt/qemu

Status in OpenStack Compute (nova):
  Opinion
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.

  Older versions of libvirt included network storage authentication
  information on the qemu command line. If libvirt raises an exception
  which logs the qemu command line it used, for example an error
  starting a domain, this authentication information will end up in the
  logs. There is an existing CVE for this issue here:

    https://access.redhat.com/security/cve/CVE-2015-5160

  Specifically, if a deployment is using ceph, a libvirt error starting
  a domain would log the cephx secret key and the monitor addresses on
  the qemu command line.

  The issue has been resolved upstream. Users running qemu version 2.6
  or later, and libvirt version 2.2 or later, are not vulnerable. No
  change is required in Nova to resolve this issue.

  Red Hat users running RHEL 7.3 or later are not vulnerable.

  It's not 100% clear to me that an OpenStack CVE is required here as
  it's not a bug in an OpenStack component, and it's already fixed
  upstream. However, it did come to my attention after a user publicly
  posted their ceph credentials on IRC, so evidently some OpenStack
  users are running vulnerable systems, and this is a very common
  configuration.

  In Nova, we currently have:

  MIN_LIBVIRT_VERSION = (1, 2, 9)
  MIN_QEMU_VERSION = (2, 1, 0)

  so anybody running the minimum supported versions will be vulnerable.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1686743/+subscriptions