OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1750074] Re: Cinder logs rabbitmq password on connection log


I'm marking the advisory task won't fix and triaging this as a potential
security hardening opportunity. In the past we've considered information
leaking in DEBUG level logs to fit the B3 classification (a
vulnerability in experimental or debugging features not intended for
production use) in our report taxonomy: https://security.openstack.org
/vmt-process.html#incident-report-taxonomy

** Information type changed from Public Security to Public

** Tags added: security

** Changed in: ossa
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1750074

Title:
  Cinder logs rabbitmq password on connection log

Status in Cinder:
  Fix Released
Status in Manila:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Cinder may log rabbitmq password on connection when DEBUG is on.

  Example on cinder-scheduler.log file after enabling DEBUG:
  (Password has been replaced with XXX)

  2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd-
  14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url :
  rabbit://guest:XXX at 10.10.10.1:5672,guest:XXX at 10.10.10.2:5672,guest:XXX at 10.10.10.3:5672
  wait /usr/lib/python2.7/site-packages/cinder/service.py:611

  In a production environment, this is pretty bad.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1750074/+subscriptions