1422267 – CVE-2017-2622 openstack-mistral: /var/log/mistral/ is world readable [openstack-rdo]

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1422267 - CVE-2017-2622 openstack-mistral: /var/log/mistral/ is world readable [openstack-rdo]

Summary: CVE-2017-2622 openstack-mistral: /var/log/mistral/ is world readable [opensta...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	distribution
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	trunk
Assignee:	Tristan Cacqueray
QA Contact:	Shai Revivo
Docs Contact:
URL:
Whiteboard:	component:openstack-mistral
Depends On:
Blocks:	CVE-2017-2622
TreeView+	depends on / blocked

Reported:	2017-02-14 22:30 UTC by Summer Long
Modified:	2017-08-23 07:55 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-08-23 07:55:17 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
RDO	5251	None	None	None	2017-03-06 18:41:16 UTC
RDO	5614	None	None	None	2017-03-06 18:42:08 UTC
RDO	5615	None	None	None	2017-03-06 18:51:42 UTC
RDO	5616	None	None	None	2017-03-06 18:54:16 UTC

Description Summer Long 2017-02-14 22:30:15 UTC

This as an RDO Project security tracking bug against openstack-mistral. It was created
to ensure that one or more security vulnerabilities are fixed.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

[bug automatically created by: add-tracking-bugs]

Comment 1 Tristan Cacqueray 2017-02-15 00:46:41 UTC

Fix proposed: https://review.rdoproject.org/r/5251

Comment 2 Jon Schlueter 2017-03-06 18:42:08 UTC

proposed for newton-rdo https://review.rdoproject.org/r/#/c/5614

Comment 3 Jon Schlueter 2017-03-06 18:51:43 UTC

proposed for mitaka-rdo  https://review.rdoproject.org/r/#/c/5615

Comment 4 Jon Schlueter 2017-03-06 18:54:16 UTC

proposed backport for ocata-rdo https://review.rdoproject.org/r/5616

Comment 5 Alan Pevec (Fedora) 2017-03-17 23:55:40 UTC

Copying my comment from (already merged) gerrit review https://review.rdoproject.org/r/#/c/5251/ for increased visibility, as I didn't get any response there:

It is unclear from the description which specific "sensitive information" is leaked so I'm not sure proposed fix is correct: logs should not contain sensitive info and bugfix should be to conceal it before sending to logs
like for example password parameters in oslo.config: https://github.com/openstack/oslo.config/commit/0e4f86ec0998779b1ef4a1ae72a985d823886ff4

The plan is to centralize logs collection using Opstools SIG and removing log readability might break fluentd agent.

Comment 6 Tristan Cacqueray 2017-08-23 07:39:21 UTC

According to the corresponding upstream bug ( https://bugs.launchpad.net/mistral/+bug/1337268 ), any workflow's inputs are written to INFO logs, including sensitive parameters such as passwords.

A more robust fix to identify and mask sensitive inputs is still being discussed upstream, until then I think we could close that report.

Comment 7 Tristan Cacqueray 2017-08-23 07:43:24 UTC

Regarding the fluentd agent, shouldn't it be a member of the mistral group instead of having logs world-readable ?

Comment 8 Matthias Runge 2017-08-23 07:49:12 UTC

fluentd agent is currently run as root user. That shouldn't be a problem.

Note You need to log in before you can comment on or make changes to this bug.