Description of problem: Reported by Hans Feldt, Ericsson Password written in clear text in heat-api.log with DEBUG mode Because this is debug, it is a hardening issue; no CVE is attached. Upstream bug: https://bugs.launchpad.net/heat/+bug/1664792 Affected code: heat/common/serializers.py: 31 class JSONResponseSerializer(object): 32 33 def to_json(self, data): 34 def sanitizer(obj): 35 if isinstance(obj, datetime.datetime): 36 return obj.isoformat() 37 return six.text_type(obj) 38 39 response = jsonutils.dumps(data, default=sanitizer) 40 LOG.debug("JSON response : %s" % response) # <- HERE Version-Release number of selected component (if applicable): openstack-heat-2014.2.4-1.el7ost Steps to Reproduce: 1. Create overcloud 2. View /var/log/heat/heat-api.log 3. Grep for AdminPassword Actual results: Plain text is used for passwords Expected results: Plain text should never be used for passwords
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1446