osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1761538] Re: Cookie hash value displayed in rabbitmq logs


This likely is more related to RabbitMQ (and as fungi pointed out,
should probably be noted in OSSN) if it has a security impact on
OpenStack as a whole, rather than specifically keystone.

** Also affects: ossn
   Importance: Undecided
       Status: New

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1761538

Title:
  Cookie hash value displayed in rabbitmq logs

Status in OpenStack Identity (keystone):
  Invalid
Status in OpenStack Security Notes:
  New

Bug description:
  ENabled rabbitmq debug and restarted the process. Found sensitive data
  displayed in logs.

  rabbitmq uses Erlang cookie concept where a cluster of nodes
  communicates to each other. Any node that posses this secret cookie
  can communicate with other nodes in the cluster.

  
  =INFO REPORT==== 31-Mar-2018::03:28:46 ===
  stopped SSL Listener on [::]:5671

  =INFO REPORT==== 31-Mar-2018::03:28:46 ===
  Stopped RabbitMQ application

  =INFO REPORT==== 31-Mar-2018::03:28:46 ===
  Halting Erlang VM

  =INFO REPORT==== 31-Mar-2018::03:29:54 ===
  Starting RabbitMQ 3.6.6 on Erlang 19.1.1
  Copyright (C) 2007-2016 Pivotal Software, Inc.
  Licensed under the MPL.  See http://www.rabbitmq.com/

  =INFO REPORT==== 31-Mar-2018::03:29:54 ===
  node           : rabbit at ip9-114-192-221
  home dir       : /var/lib/rabbitmq
  config file(s) : /etc/rabbitmq/rabbitmq.config
  cookie hash    : RVLZk6qSkQ471Dqtfk14wA==
  log            : /var/log/rabbitmq/rabbit at ip9-114-192-221.log
  sasl log       : /var/log/rabbitmq/rabbit at ip9-114-192-221-sasl.log
  database dir   : /var/lib/rabbitmq/mnesia/rabbit at ip9-114-192-221

  =INFO REPORT==== 31-Mar-2018::03:29:57 ===
  Memory limit set to 3876MB of 9690MB total.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1761538/+subscriptions