[Openstack-security] [Bug 1750074] Re: Cinder logs rabbitmq password on connection log
I'm marking the advisory task won't fix and triaging this as a potential
security hardening opportunity. In the past we've considered information
leaking in DEBUG level logs to fit the B3 classification (a
vulnerability in experimental or debugging features not intended for
production use) in our report taxonomy: https://security.openstack.org
** Information type changed from Public Security to Public
** Tags added: security
** Changed in: ossa
Status: New => Won't Fix
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
Cinder logs rabbitmq password on connection log
Status in Cinder:
Status in Manila:
Status in OpenStack Security Advisory:
Cinder may log rabbitmq password on connection when DEBUG is on.
Example on cinder-scheduler.log file after enabling DEBUG:
(Password has been replaced with XXX)
2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd-
14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url :
rabbit://guest:XXX at 10.10.10.1:5672,guest:XXX at 10.10.10.2:5672,guest:XXX at 10.10.10.3:5672
In a production environment, this is pretty bad.
To manage notifications about this bug go to: