Reviewed: https://review.opendev.org/220622 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=26d4047e17eba9bc271f8868f1d0ffeec97b555e Submitter: Zuul Branch: master
commit 26d4047e17eba9bc271f8868f1d0ffeec97b555e Author: Balazs Gibizer <[email protected]> Date: Fri Aug 23 15:51:34 2019 +0200 Mask the token used to allow access to consoles Hide the novncproxy token from the logs. When backported this patch needs to be extended to handle the same issue in the consoleauth service. Co-Authored-By:paul-carlton2 <[email protected]> Co-Authored-By:Tristan Cacqueray <[email protected]> Change-Id: I5b8fa4233d297722c3af08176901d12887bae3de Closes-Bug: #1492140 ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1492140 Title: consoleauth token displayed in log file Status in OpenStack Compute (nova): Fix Released Status in oslo.utils: Fix Released Status in OpenStack Security Advisory: Triaged Bug description: when instance console is accessed auth token is displayed nova- consoleauth.log nova-consoleauth.log:874:2015-09-02 14:20:36 29941 INFO nova.consoleauth.manager [req-6bc7c116-5681-43ee-828d-4b8ff9d566d0 fe3cd6b7b56f44c9a0d3f5f2546ad4db 37b377441b174b8ba2deda6a6221e399] Received Token: f8ea537c-b924-4d92-935e-4c22ec90d5f7, {'instance_uuid': u'dd29a899-0076-4978-aa50-8fb752f0c3ed', 'access_url': u'http://192.168.245.9:6080/vnc_auto.html?token=f8ea537c-b924-4d92-935e-4c22ec90d5f7', 'token': u'f8ea537c-b924-4d92-935e-4c22ec90d5f7', 'last_activity_at': 1441203636.387588, 'internal_access_path': None, 'console_type': u'novnc', 'host': u'192.168.245.6', 'port': u'5900'} nova-consoleauth.log:881:2015-09-02 14:20:52 29941 INFO nova.consoleauth.manager [req-a29ab7d8-ab26-4ef2-b942-9bb02d5703a0 None None] Checking Token: f8ea537c-b924-4d92-935e-4c22ec90d5f7, True and nova-novncproxy.log:30:2015-09-02 14:20:52 31927 INFO nova.console.websocketproxy [req-a29ab7d8-ab26-4ef2-b942-9bb02d5703a0 None None] 3: connect info: {u'instance_uuid': u'dd29a899-0076-4978-aa50-8fb752f0c3ed', u'internal_access_path': None, u'last_activity_at': 1441203636.387588, u'console_type': u'novnc', u'host': u'192.168.245.6', u'token': u'f8ea537c-b924-4d92 -935e-4c22ec90d5f7', u'access_url': u'http://192.168.245.9:6080/vnc_auto.html?token=f8ea537c-b924-4d92 -935e-4c22ec90d5f7', u'port': u'5900'} This token has a short lifetime but the exposure still represents a potential security weakness, especially as the log record in question are INFO level and thus available via centralized logging. A user with real time access to these records could mount a denial of service attack by accessing the instance console and performing a ctl alt del to reboot it Alternatively data privacy could be compromised if the attacker were able to obtain user credentials To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1492140/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
