1664310 – [RHEL 7.6 LP] openstack output leaks passwords

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1664310 - [RHEL 7.6 LP] openstack output leaks passwords

Summary: [RHEL 7.6 LP] openstack output leaks passwords

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libguestfs
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Richard W.M. Jones
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:	V2V
Depends On:
Blocks:	1651426
TreeView+	depends on / blocked

Reported:	2019-01-08 12:09 UTC by Tomáš Golembiovský
Modified:	2019-10-17 11:07 UTC (History)
CC List:	7 users (show)
Fixed In Version:	libguestfs-1.38.2-12.28.lp.el7_6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-10-17 11:07:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Tomáš Golembiovský 2019-01-08 12:09:32 UTC

When password arguments are passed with --os-* option to -o openstack (e.g. --os-password=somesecret), such arguments are then presented in virt-v2v debug output in clear text.

Passwords should not be disclosed this way and should be masked in virt-v2v output.

Comment 2 Richard W.M. Jones 2019-01-08 13:48:19 UTC

Note this is only in the LP branch, so the bug may only affect layered products, not actual RHEL.
However it is a security issue.

Comment 3 Richard W.M. Jones 2019-01-08 14:21:05 UTC

Patch posted:
https://www.redhat.com/archives/libguestfs/2019-January/msg00086.html

Comment 4 Richard W.M. Jones 2019-01-08 14:57:05 UTC

Final patch upstream in:
https://github.com/libguestfs/libguestfs/commit/fc028bf57a3ff128d21b904583f9ea02f672ed5b

Comment 5 Richard W.M. Jones 2019-01-08 15:38:09 UTC

This is fixed in the libguestfs-1.38.2-12.28.lp.el7_6 package.  There's a scratch build here:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=19702636

Comment 6 liuzi 2019-10-17 11:07:01 UTC

Verify bug with builds:
virt-v2v-1.40.2-8.el7.x86_64
libguestfs-1.40.2-8.el7.x86_64
nbdkit-1.8.0-2.el7.x86_64

Steps:
1.Use virt-v2v to convert a guest to openstack and use option --os-password 
#virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io  vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -n default esx6.7-rhel7.7-x86_64 --password-file /tmp/passwd -o openstack -oo server-id=rhel7.6-v2v-conversion-server -oo os-username=admin -oo os-password=redhat -v -x |& tee >op.log

2.Check if the passwords disclosed in the log
# cat op.log |grep openstack
openstack [...] token issue
[ 181.3] Initializing the target -o openstack
openstack [...] volume create -f json --size 7 --description virt-v2v temporary volume for esx6.7-rhel7.7-x86_64 --non-bootable --read-write esx6.7-rhel7.7-x86_64-sda
openstack: JSON parsed as: {
openstack [...] volume show -f json d37127be-f085-4d3d-ada8-8415cdc1f2c5
openstack: JSON parsed as: {
openstack [...] server add volume rhel7.6-v2v-conversion-server d37127be-f085-4d3d-ada8-8415cdc1f2c5
openstack [...] server remove volume rhel7.6-v2v-conversion-server d37127be-f085-4d3d-ada8-8415cdc1f2c5
openstack [...] volume delete d37127be-f085-4d3d-ada8-8415cdc1f2c5


Result:
The virt-v2v will not disclose the password when convert a guest to openstack.

Note You need to log in before you can comment on or make changes to this bug.