OSSN/OSSN-0046

Summary
When debug mode is set for a service using Pecan (via --debug or CONF.debug=True) Pecan is also set to debug. This can result in accidental information disclosures.

Affected Services / Software
Blazar, Ceilometer, Cue, Gnocchi, Ironic, Kite, Libra, Pecan, Tuskar

Discussion
Although it's best practice to run production environments with debugging functionality disabled, experience shows us that many deployers choose to run OpenStack with debugging enabled to aid with administration and fault finding.

When Pecan is running in debug mode, the following capabilities are made available to anyone who can interact with the API service:

sensitive information such as API credentials, passwords etc. resulting in a denial of service
 * Retrieve a stack trace of failed Pecan calls
 * Retrieve a full list of environment variables containing potentially
 * Set an execution breakpoint which hangs the service with a pdb shell,

Recommended Actions
At time of writing, Ceilometer, Gnocchi and Ironic have released fixes. Deployers are encouraged to apply these fixes (see launchpad bug in References) in their clouds. For services that do not have a fix, or where fixes cannot be applied in existing deployments, we advise not using the debug configuration for affected services in production environments.

Contacts / References

 * Author: Robert Clark, IBM
 * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0046
 * Original LaunchPad Bug : https://bugs.launchpad.net/ironic/+bug/1425206
 * OpenStack Security ML : openstack-security@lists.openstack.org
 * OpenStack Security Group : https://launchpad.net/~openstack-ossg
 * Pecan : http://www.pecanpy.org/