[Openstack-security] [Bug 1686743] Re: Ceph credentials included in logs using older libvirt/qemu
** Changed in: ossn
Status: Confirmed => Fix Released
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
Ceph credentials included in logs using older libvirt/qemu
Status in OpenStack Compute (nova):
Status in OpenStack Security Advisory:
Status in OpenStack Security Notes:
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed (private)
security vulnerabilities before their coordinated publication by the
OpenStack Vulnerability Management Team in the form of an official
OpenStack Security Advisory. This includes discussion of the bug or
associated fixes in public forums such as mailing lists, code review
systems and bug trackers. Please also avoid private disclosure to
other individuals not already approved for access to this information,
and provide this same reminder to those who are made aware of the
issue prior to publication. All discussion should remain confined to
this private bug report, and any proposed fixes should be added to the
bug as attachments.
Older versions of libvirt included network storage authentication
information on the qemu command line. If libvirt raises an exception
which logs the qemu command line it used, for example an error
starting a domain, this authentication information will end up in the
logs. There is an existing CVE for this issue here:
Â Â https://access.redhat.com/security/cve/CVE-2015-5160
Specifically, if a deployment is using ceph, a libvirt error starting
a domain would log the cephx secret key and the monitor addresses on
the qemu command line.
The issue has been resolved upstream. Users running qemu version 2.6
or later, and libvirt version 2.2 or later, are not vulnerable. No
change is required in Nova to resolve this issue.
Red Hat users running RHEL 7.3 or later are not vulnerable.
It's not 100% clear to me that an OpenStack CVE is required here as
it's not a bug in an OpenStack component, and it's already fixed
upstream. However, it did come to my attention after a user publicly
posted their ceph credentials on IRC, so evidently some OpenStack
users are running vulnerable systems, and this is a very common
In Nova, we currently have:
MIN_LIBVIRT_VERSION = (1, 2, 9)
MIN_QEMU_VERSION = (2, 1, 0)
so anybody running the minimum supported versions will be vulnerable.
To manage notifications about this bug go to: