Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1424889 - Password written in clear text in heat-api.log with DEBUG mode [openstack-11]
Password written in clear text in heat-api.log with DEBUG mode [openstack-11]
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-heat (Show other bugs)
11.0 (Ocata)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 11.0 (Ocata)
Assigned To: Zane Bitter
Amit Ugol
: Security, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-19 21:46 EST by Summer Long
Modified: 2017-05-17 16:00 EDT (History)
9 users (show)

See Also:
Fixed In Version: openstack-heat-8.0.0-6.el7ost
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 1424879
: 1424892 (view as bug list)
Environment:
Last Closed: 2017-05-17 16:00:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 442652 None None None 2017-03-08 15:33 EST
Red Hat Product Errata RHEA-2017:1245 normal SHIPPED_LIVE Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory 2017-05-17 19:01:50 EDT

  None (edit)
Description Summer Long 2017-02-19 21:46:26 EST 
+++ This bug was initially created as a clone of Bug #1424879 +++

Description of problem:
Reported by Hans Feldt, Ericsson

Password written in clear text in heat-api.log with DEBUG mode
Because this is debug, it is a hardening issue; no CVE is attached.

Upstream bug: https://bugs.launchpad.net/heat/+bug/1664792

Affected code:
heat/common/serializers.py:
 31 class JSONResponseSerializer(object):
 32
 33 def to_json(self, data):
 34 def sanitizer(obj):
 35 if isinstance(obj, datetime.datetime):
 36 return obj.isoformat()
 37 return six.text_type(obj)
 38
 39 response = jsonutils.dumps(data, default=sanitizer)
 40 LOG.debug("JSON response : %s" % response) # <- HERE

Version-Release number of selected component (if applicable):
openstack-heat-8.0.0-0.20161130172252.05ca9d5.el7ost

Steps to Reproduce:
1. Create overcloud
2. View /var/log/heat/heat-api.log
3. Grep for AdminPassword

Actual results:
Plain text is used for passwords

Expected results:
Plain text should never be used for passwords
Comment 1 Zane Bitter 2017-03-30 10:09:18 EDT 
Patch merged to stable/ocata upstream.
Comment 4 errata-xmlrpc 2017-05-17 16:00:35 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1245
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.