yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1899229] Re: Nova compute log can get the password info from the user_data

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1899229@xxxxxxxxxxxxxxxxxx>
Date: Mon, 12 Oct 2020 19:12:53 -0000
Reply-to: Bug 1899229 <1899229@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Also, the duplicate (bug 1899228) is still public anyway.

** Information type changed from Private Security to Public

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1899229

Title:
  Nova compute log can get the password info from the user_data

Status in OpenStack Compute (nova):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Here is the log on /var/log/nova/nova-compute.log, we can see
  user_data='I2Nsb3VkLWNvbmZpZwpjaHBhc3N3ZDoKICBsaXN0OiB8CiAgICByb290OjEyMzQ1Njc4CiAgZXhwaXJlOiBGYWxzZQ==',
  if you use python to do base64 decode, it will translate to '#cloud-
  config\nchpasswd:\n list: |\n root:12345678\n expire: False', we can
  see the root password is 12345678. Here is the method:

  >>>base64.b64decode("I2Nsb3VkLWNvbmZpZwpjaHBhc3N3ZDoKICBsaXN0OiB8CiAgICByb290OjEyMzQ1Njc4CiAgZXhwaXJlOiBGYWxzZQ==")
  b'#cloud-config\nchpasswd:\n  list: |\n    root:12345678\n  expire: False'

  Although the password is been encrypted but it is easy to decrypted.

  So, in order to avoid this, maybe we don't need to display the
  password info?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1899229/+subscriptions

References

[Bug 1899229] [NEW] Nova compute log can get the password info from the user_data
From: changzhi, 2020-10-10