[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1750074] Re: Cinder logs rabbitmq password on connection log

I'm marking the advisory task won't fix and triaging this as a potential
security hardening opportunity. In the past we've considered information
leaking in DEBUG level logs to fit the B3 classification (a
vulnerability in experimental or debugging features not intended for
production use) in our report taxonomy:

** Information type changed from Public Security to Public

** Tags added: security

** Changed in: ossa
       Status: New => Won't Fix

You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.

  Cinder logs rabbitmq password on connection log

Status in Cinder:
  Fix Released
Status in Manila:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Cinder may log rabbitmq password on connection when DEBUG is on.

  Example on cinder-scheduler.log file after enabling DEBUG:
  (Password has been replaced with XXX)

  2018-02-05 19:21:52.721 35 DEBUG cinder.service [req-a2dbe0dd-
  14c9-4123-a69a-3623e5f0a4d7 - - - - -] transport_url :
  rabbit://guest:XXX at,guest:XXX at,guest:XXX at
  wait /usr/lib/python2.7/site-packages/cinder/

  In a production environment, this is pretty bad.

To manage notifications about this bug go to: