1664310 – [RHEL 7.6 LP] openstack output leaks passwords

Bug 1664310 - [RHEL 7.6 LP] openstack output leaks passwords

Summary: [RHEL 7.6 LP] openstack output leaks passwords

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libguestfs
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Richard W.M. Jones
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:	V2V
Depends On:
Blocks:	1651426
TreeView+	depends on / blocked

Reported:	2019-01-08 12:09 UTC by Tomáš Golembiovský
Modified:	2019-10-17 11:07 UTC (History)
CC List:	7 users (show)
Fixed In Version:	libguestfs-1.38.2-12.28.lp.el7_6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-10-17 11:07:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Tomáš Golembiovský 2019-01-08 12:09:32 UTC

When password arguments are passed with --os-* option to -o openstack (e.g. --os-password=somesecret), such arguments are then presented in virt-v2v debug output in clear text.

Passwords should not be disclosed this way and should be masked in virt-v2v output.

Comment 2 Richard W.M. Jones 2019-01-08 13:48:19 UTC

Note this is only in the LP branch, so the bug may only affect layered products, not actual RHEL.
However it is a security issue.

Comment 3 Richard W.M. Jones 2019-01-08 14:21:05 UTC

Patch posted:
https://www.redhat.com/archives/libguestfs/2019-January/msg00086.html

Comment 4 Richard W.M. Jones 2019-01-08 14:57:05 UTC

Final patch upstream in:
https://github.com/libguestfs/libguestfs/commit/fc028bf57a3ff128d21b904583f9ea02f672ed5b

Comment 5 Richard W.M. Jones 2019-01-08 15:38:09 UTC

This is fixed in the libguestfs-1.38.2-12.28.lp.el7_6 package.  There's a scratch build here:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=19702636

Comment 6 liuzi 2019-10-17 11:07:01 UTC

Verify bug with builds:
virt-v2v-1.40.2-8.el7.x86_64
libguestfs-1.40.2-8.el7.x86_64
nbdkit-1.8.0-2.el7.x86_64

Steps:
1.Use virt-v2v to convert a guest to openstack and use option --os-password 
#virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io  vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -n default esx6.7-rhel7.7-x86_64 --password-file /tmp/passwd -o openstack -oo server-id=rhel7.6-v2v-conversion-server -oo os-username=admin -oo os-password=redhat -v -x |& tee >op.log

2.Check if the passwords disclosed in the log
# cat op.log |grep openstack
openstack [...] token issue
[ 181.3] Initializing the target -o openstack
openstack [...] volume create -f json --size 7 --description virt-v2v temporary volume for esx6.7-rhel7.7-x86_64 --non-bootable --read-write esx6.7-rhel7.7-x86_64-sda
openstack: JSON parsed as: {
openstack [...] volume show -f json d37127be-f085-4d3d-ada8-8415cdc1f2c5
openstack: JSON parsed as: {
openstack [...] server add volume rhel7.6-v2v-conversion-server d37127be-f085-4d3d-ada8-8415cdc1f2c5
openstack [...] server remove volume rhel7.6-v2v-conversion-server d37127be-f085-4d3d-ada8-8415cdc1f2c5
openstack [...] volume delete d37127be-f085-4d3d-ada8-8415cdc1f2c5


Result:
The virt-v2v will not disclose the password when convert a guest to openstack.

Note You need to log in before you can comment on or make changes to this bug.