git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1686743] Re: Ceph credentials included in logs using older libvirt/qemu


** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  Older versions of libvirt included network storage authentication
  information on the qemu command line. If libvirt raises an exception
  which logs the qemu command line it used, for example an error starting
  a domain, this authentication information will end up in the logs. There
  is an existing CVE for this issue here:
  
    https://access.redhat.com/security/cve/CVE-2015-5160
  
  Specifically, if a deployment is using ceph, a libvirt error starting a
  domain would log the cephx secret key and the monitor addresses on the
  qemu command line.
  
  The issue has been resolved upstream. Users running qemu version 2.6 or
  later, and libvirt version 2.2 or later, are not vulnerable. No change
  is required in Nova to resolve this issue.
  
  Red Hat users running RHEL 7.3 or later are not vulnerable.
  
  It's not 100% clear to me that an OpenStack CVE is required here as it's
  not a bug in an OpenStack component, and it's already fixed upstream.
  However, it did come to my attention after a user publicly posted their
  ceph credentials on IRC, so evidently some OpenStack users are running
  vulnerable systems, and this is a very common configuration.
  
  In Nova, we currently have:
  
  MIN_LIBVIRT_VERSION = (1, 2, 9)
  MIN_QEMU_VERSION = (2, 1, 0)
  
  so anybody running the minimum supported versions will be vulnerable.

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1686743

Title:
  Ceph credentials included in logs using older libvirt/qemu

Status in OpenStack Compute (nova):
  Opinion
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  Older versions of libvirt included network storage authentication
  information on the qemu command line. If libvirt raises an exception
  which logs the qemu command line it used, for example an error
  starting a domain, this authentication information will end up in the
  logs. There is an existing CVE for this issue here:

    https://access.redhat.com/security/cve/CVE-2015-5160

  Specifically, if a deployment is using ceph, a libvirt error starting
  a domain would log the cephx secret key and the monitor addresses on
  the qemu command line.

  The issue has been resolved upstream. Users running qemu version 2.6
  or later, and libvirt version 2.2 or later, are not vulnerable. No
  change is required in Nova to resolve this issue.

  Red Hat users running RHEL 7.3 or later are not vulnerable.

  It's not 100% clear to me that an OpenStack CVE is required here as
  it's not a bug in an OpenStack component, and it's already fixed
  upstream. However, it did come to my attention after a user publicly
  posted their ceph credentials on IRC, so evidently some OpenStack
  users are running vulnerable systems, and this is a very common
  configuration.

  In Nova, we currently have:

  MIN_LIBVIRT_VERSION = (1, 2, 9)
  MIN_QEMU_VERSION = (2, 1, 0)

  so anybody running the minimum supported versions will be vulnerable.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1686743/+subscriptions