Bug 1422267

Summary: CVE-2017-2622 openstack-mistral: /var/log/mistral/ is world readable [openstack-rdo]
Product: [Community] RDO Reporter: Summer Long <slong>
Component: distributionAssignee: Tristan Cacqueray <tdecacqu>
Status: CLOSED CURRENTRELEASE QA Contact: Shai Revivo <srevivo>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, apevec, ayoung, chrisw, cvsbot-xmlrpc, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mrunge, rbryant, sclewis, srevivo, tdecacqu
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: trunk   
Hardware: All   
OS: Linux   
Whiteboard: component:openstack-mistral
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-23 07:55:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420992    

Description Summer Long 2017-02-14 22:30:15 UTC 
This as an RDO Project security tracking bug against openstack-mistral. It was created
to ensure that one or more security vulnerabilities are fixed.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

[bug automatically created by: add-tracking-bugs]
Comment 1 Tristan Cacqueray 2017-02-15 00:46:41 UTC 
Fix proposed: https://review.rdoproject.org/r/5251
Comment 2 Jon Schlueter 2017-03-06 18:42:08 UTC 
proposed for newton-rdo https://review.rdoproject.org/r/#/c/5614
Comment 3 Jon Schlueter 2017-03-06 18:51:43 UTC 
proposed for mitaka-rdo  https://review.rdoproject.org/r/#/c/5615
Comment 4 Jon Schlueter 2017-03-06 18:54:16 UTC 
proposed backport for ocata-rdo https://review.rdoproject.org/r/5616
Comment 5 Alan Pevec (Fedora) 2017-03-17 23:55:40 UTC 
Copying my comment from (already merged) gerrit review https://review.rdoproject.org/r/#/c/5251/ for increased visibility, as I didn't get any response there:

It is unclear from the description which specific "sensitive information" is leaked so I'm not sure proposed fix is correct: logs should not contain sensitive info and bugfix should be to conceal it before sending to logs
like for example password parameters in oslo.config: https://github.com/openstack/oslo.config/commit/0e4f86ec0998779b1ef4a1ae72a985d823886ff4

The plan is to centralize logs collection using Opstools SIG and removing log readability might break fluentd agent.
Comment 6 Tristan Cacqueray 2017-08-23 07:39:21 UTC 
According to the corresponding upstream bug ( https://bugs.launchpad.net/mistral/+bug/1337268 ), any workflow's inputs are written to INFO logs, including sensitive parameters such as passwords.

A more robust fix to identify and mask sensitive inputs is still being discussed upstream, until then I think we could close that report.
Comment 7 Tristan Cacqueray 2017-08-23 07:43:24 UTC 
Regarding the fluentd agent, shouldn't it be a member of the mistral group instead of having logs world-readable ?
Comment 8 Matthias Runge 2017-08-23 07:49:12 UTC 
fluentd agent is currently run as root user. That shouldn't be a problem.