Reviewed: https://review.opendev.org/708242 Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=28b98cb8337483cc6c48af4cb3f27770b21ac474 Submitter: Zuul Branch: master
commit 28b98cb8337483cc6c48af4cb3f27770b21ac474 Author: Jeremy Stanley <[email protected]> Date: Mon Feb 17 20:04:25 2020 +0000 Add OSSA-2020-001 (CVE-2015-9543) Change-Id: If9b675a4cef657f5d4102192821a51bb91d8cbf9 Closes-Bug: #1492140 ** Changed in: ossa Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1492140 Title: Nova can leak consoleauth token into log files (CVE-2015-9543) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) queens series: In Progress Status in OpenStack Compute (nova) rocky series: Fix Committed Status in OpenStack Compute (nova) stein series: Fix Released Status in OpenStack Compute (nova) train series: Fix Released Status in oslo.utils: Fix Released Status in OpenStack Security Advisory: Fix Released Bug description: when instance console is accessed auth token is displayed nova- consoleauth.log nova-consoleauth.log:874:2015-09-02 14:20:36 29941 INFO nova.consoleauth.manager [req-6bc7c116-5681-43ee-828d-4b8ff9d566d0 fe3cd6b7b56f44c9a0d3f5f2546ad4db 37b377441b174b8ba2deda6a6221e399] Received Token: f8ea537c-b924-4d92-935e-4c22ec90d5f7, {'instance_uuid': u'dd29a899-0076-4978-aa50-8fb752f0c3ed', 'access_url': u'http://192.168.245.9:6080/vnc_auto.html?token=f8ea537c-b924-4d92-935e-4c22ec90d5f7', 'token': u'f8ea537c-b924-4d92-935e-4c22ec90d5f7', 'last_activity_at': 1441203636.387588, 'internal_access_path': None, 'console_type': u'novnc', 'host': u'192.168.245.6', 'port': u'5900'} nova-consoleauth.log:881:2015-09-02 14:20:52 29941 INFO nova.consoleauth.manager [req-a29ab7d8-ab26-4ef2-b942-9bb02d5703a0 None None] Checking Token: f8ea537c-b924-4d92-935e-4c22ec90d5f7, True and nova-novncproxy.log:30:2015-09-02 14:20:52 31927 INFO nova.console.websocketproxy [req-a29ab7d8-ab26-4ef2-b942-9bb02d5703a0 None None] 3: connect info: {u'instance_uuid': u'dd29a899-0076-4978-aa50-8fb752f0c3ed', u'internal_access_path': None, u'last_activity_at': 1441203636.387588, u'console_type': u'novnc', u'host': u'192.168.245.6', u'token': u'f8ea537c-b924-4d92 -935e-4c22ec90d5f7', u'access_url': u'http://192.168.245.9:6080/vnc_auto.html?token=f8ea537c-b924-4d92 -935e-4c22ec90d5f7', u'port': u'5900'} This token has a short lifetime but the exposure still represents a potential security weakness, especially as the log record in question are INFO level and thus available via centralized logging. A user with real time access to these records could mount a denial of service attack by accessing the instance console and performing a ctl alt del to reboot it Alternatively data privacy could be compromised if the attacker were able to obtain user credentials To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1492140/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
