yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2030976] Re: oslo notifications sending sensitive tokens

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <2030976@xxxxxxxxxxxxxxxxxx>
Date: Fri, 11 Oct 2024 21:11:58 -0000
Reply-to: Bug 2030976 <2030976@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

It seems pretty clear that, historically, OpenStack has assumed it's
okay to put sensitive data on the message bus, and we haven't really had
a project-wide architectural discussion about changing that approach. We
do have some progress in that vein, but it's clearly something that has
taken and will continue to take multiple iterations across a variety of
different components before we can really consider it safe for
deployments to expose unfiltered copies of these streams to untrusted
third parties.

An argument could be made that this sort of continuous, incremental
ratcheting down of sensitive data across the bus is the definition of
security hardening (class D in our report taxonomy), but because so much
other software has similar message busses that they do treat as safe to
expose we clearly have operators assuming OpenStack uses its bus in the
same way so I'd err on a more conservative approach to communicating
both this as a broader architectural vulnerability without a complete
fix yet (class B2) and get a security note put together with relevant
guidance for operators.

** Changed in: ossa
       Status: Fix Released => Incomplete

** Also affects: ossn
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2030976

Title:
  oslo notifications sending sensitive tokens

Status in Ironic:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in oslo.messaging:
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete
Status in OpenStack Security Notes:
  New

Bug description:
  Hi,

  I have configured an OpenStack deployment to send Ironic service
  notifications using oslo_messaging_notifications[1] and noticed that
  Keystone tokens are being sent in the
  ['oslo.message']['_context_auth_token'] field of the message payload.

  - I have confirmed that auth token is leaked using both a Kafka and RabbitMQ backed
  - I have also confirmed that both messaging and messagingv2 options under oslo_messaging_notifications.driver are impacted[2]
  - I am using the Victoria version of Openstack and I have not confirmed if this has been patched on newer versions

  1) https://docs.openstack.org/ironic/latest/admin/notifications.html
  2) https://docs.openstack.org/ironic/victoria/configuration/sample-config.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ironic/+bug/2030976/+subscriptions