[Expired for neutron because there has been no activity for 60 days.]
** Changed in: neutron
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1458362
Title:
auth_token exposure in event_type network.create.start
Status in neutron:
Expired
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
version: devstack kilo stable
service: neutron/rabbit message queue, ceilometer, keystone audit middleware,
etc
impact: token exposure; security vulnerability
symptom:
mornitoring notifications in message queue by listening port 5672.
When a neutron network is created, in the messages with event_type
network.create.start and network.create.end, token is exposed as:
"_context_auth_token": "165ec7170e704d4aafc7417c60091157",
Please note that in event_type audit.http.request, the token is masked as:
"credential": {
"token": "5696 xxxxxxxx 03ba",
"identity_status": "Confirmed"
},
Which is secure by the patche on the vulnerability cve-2014-4615 at
https://bugs.launchpad.net/oslo-incubator/+bug/1321080.
So patch in pycadf is still valid, but new patch needs to be applied to
events network.create.start, network.create.end, etc.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1458362/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
