Absolutely, for people that haven’t updated their SSL libraries (where OpenSSL was in use) there could be some level of exposure.
This has actually been addressed in an OpenStack Security Note: https://wiki.openstack.org/wiki/OSSN/OSSN-0012 From: Hao Wang [mailto:[email protected]] Sent: 29 April 2014 15:26 To: Clark, Robert Graham Cc: [email protected]; openstack; Aaron Knister Subject: Re: [Openstack-security] [Openstack] API Security Thanks. It makes sense. The other questions are, would Heartbleed be a potential risk? Which solution is being used in OpenStack SSL? On Tue, Apr 29, 2014 at 10:07 AM, Clark, Robert Graham <[email protected] <mailto:[email protected]> > wrote: This is why any production API servers should all be running TLS/SSL – to protect the confidentiality of messages in flight. There have been efforts to remove sensitive information from logs, I’m a little surprised that passwords are logged in Neutron. From: Hao Wang [mailto:[email protected] <mailto:[email protected]> ] Sent: 29 April 2014 14:06 To: [email protected] <mailto:[email protected]> Cc: openstack; Aaron Knister Subject: Re: [Openstack-security] [Openstack] API Security Adding security group... On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang <[email protected] <mailto:[email protected]> > wrote: It is the client. I got this message with DEBUG enabled: curl -i 'http://192.168.56.103:35357/v2.0/tokens' -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}' It can be seen that username and password are right in the message. Hao On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister <[email protected] <mailto:[email protected]> > wrote: Was it the client or the server that exposed the credentials? Sent from my iPhone On Apr 26, 2014, at 2:28 PM, Hao Wang <[email protected] <mailto:[email protected]> > wrote: Hi, I am troubleshooting a neutron case. It was just found that if DEBUG was enabled, neutron would print out JSON data with username and password. I am wondering what kind of protocol is used in production environment to prevent this security risk from happening. Thanks, Hao _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] <mailto:[email protected]> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
