Bug 1633019
| Summary: | CVE-2018-16856 openstack-octavia: Private keys written to world-readable log files [openstack-14-default] | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Summer Long <slong> | ||||
| Component: | openstack-octavia | Assignee: | Nir Magnezi <nmagnezi> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Alexander Stafeyev <astafeye> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 14.0 (Rocky) | CC: | astafeye, cgoncalves, ihrachys, jpadman, lpeer, majopela, sfowler, slong | ||||
| Target Milestone: | z1 | Keywords: | Security, SecurityTracking, Triaged, ZStream | ||||
| Target Release: | 14.0 (Rocky) | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openstack-octavia-3.0.1-0.20181009115732.c57ae8d.el7ost | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-03-18 13:02:26 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1649165 | ||||||
| Deadline: | 2019-09-26 | ||||||
| Attachments: |
|
||||||
I will look into it. We can either change the file permissions or prevent from those prints to happen to begin with (maybe only in debug mode?). A change was made (new impact, public date, or CSAw status) to the security issue(s) blocked by this tracker, resulting in a new SLA deadline. This bug must now be resolved by 26-Sep-2019. Refer to this bug's Description for information about how to resolve this bug. Summer, I'm looking into this problem now, tried to reproduce it but by simply creating load balancers but for some reason, it does not show any key. 1. Do you happen to have the actual log files or the sosreport? 2. Did you do anything other than creating a load balancer to see those keys? (In reply to Nir Magnezi from comment #6) > Summer, > > I'm looking into this problem now, tried to reproduce it but by simply > creating load balancers but for some reason, it does not show any key. > > 1. Do you happen to have the actual log files or the sosreport? > 2. Did you do anything other than creating a load balancer to see those keys? Actually, I just recalled we had that in an email exchange, so please disregard for now. Happens on active/standby octavia configuration only. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:0593 |
Created attachment 1487003 [details] log image with server_pem Description of problem: In a default Director installation with Octavia: * On the controller, Octavia logs are world readable, where /var/log/containers/octavia and /var/log/containers/httpd/octavia-api are both 755 and the logs themselves are 644. * The /var/log/containers/octavia/worker.log has private key data (see attachment). Version-Release number of selected component (if applicable): How reproducible: The octavia.yaml file was not modified in the deployment: openstack overcloud deploy --templates -e /home/stack/templates/node-info.yaml -e /usr/share/openstack-tripleo-heat-templates/environments/services-docker/octavia.yaml -e /home/stack/templates/overcloud_images.yaml --libvirt-type qemu --ntp-server clock.redhat.com Actual results: Log files containing sensitive data are world readable. Expected results: Log files must not be world readable if sensitive data is included. Ideally, make all log files non-world-readable. Additional info: The default debug level was not changed, and was set to: debug=False