Difference between revisions of "OSSN/OSSN-0046"
Robert-clark (talk | contribs) (Created page with "= OSSN-0046 = Work in progress by robert.clark/a-t/hp.com") |
(→OSSN-0046) |
||
| Line 1: | Line 1: | ||
| − | = OSSN-0046 | + | __NOTOC__ |
| − | + | ||
| + | == Setting services to debug mode can also set Pecan to debug == | ||
| + | |||
| + | === Summary === | ||
| + | When debug mode is set for a service using Pecan (via ''--debug'' or | ||
| + | ''CONF.debug=True'') Pecan is also set to debug. This can result in | ||
| + | accidental information disclosures. | ||
| + | |||
| + | === Affected Services / Software === | ||
| + | Blazar, Ceilometer, Cue, Gnocchi, Ironic, Kite, Libra, Pecan, Tuskar | ||
| + | |||
| + | === Discussion === | ||
| + | Although it's best practice to run production environments with | ||
| + | debugging functionality disabled, experience shows us that many | ||
| + | deployers choose to run OpenStack with debugging enabled to aid with | ||
| + | administration and fault finding. | ||
| + | |||
| + | When Pecan is running in debug mode, the following capabilities are made | ||
| + | available to anyone who can interact with the API service: | ||
| + | |||
| + | * Retrieve a stack trace of failed Pecan calls | ||
| + | * Retrieve a full list of environment variables containing potentially | ||
| + | sensitive information such as API credentials, passwords etc. | ||
| + | * Set an execution breakpoint which hangs the service with a pdb shell, | ||
| + | resulting in a denial of service | ||
| + | |||
| + | |||
| + | === Recommended Actions === | ||
| + | At time of writing, Ceilometer, Gnocchi and Ironic have released fixes. | ||
| + | Deployers are encouraged to apply these fixes (see launchpad bug in | ||
| + | References) in their clouds. For services that do not have a fix, or | ||
| + | where fixes cannot be applied in existing deployments, we advise not | ||
| + | using the debug configuration for affected services in production | ||
| + | environments. | ||
| + | |||
| + | === Contacts / References === | ||
| + | * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0046 | ||
| + | * Original LaunchPad Bug : https://bugs.launchpad.net/ironic/+bug/1425206 | ||
| + | * OpenStack Security ML : openstack-security@lists.openstack.org | ||
| + | * OpenStack Security Group : https://launchpad.net/~openstack-ossg | ||
| + | * Pecan : http://www.pecanpy.org/ | ||
Revision as of 14:17, 11 May 2015
Setting services to debug mode can also set Pecan to debug
Summary
When debug mode is set for a service using Pecan (via --debug or CONF.debug=True) Pecan is also set to debug. This can result in accidental information disclosures.
Affected Services / Software
Blazar, Ceilometer, Cue, Gnocchi, Ironic, Kite, Libra, Pecan, Tuskar
Discussion
Although it's best practice to run production environments with debugging functionality disabled, experience shows us that many deployers choose to run OpenStack with debugging enabled to aid with administration and fault finding.
When Pecan is running in debug mode, the following capabilities are made available to anyone who can interact with the API service:
- Retrieve a stack trace of failed Pecan calls
- Retrieve a full list of environment variables containing potentially
sensitive information such as API credentials, passwords etc.
- Set an execution breakpoint which hangs the service with a pdb shell,
resulting in a denial of service
Recommended Actions
At time of writing, Ceilometer, Gnocchi and Ironic have released fixes. Deployers are encouraged to apply these fixes (see launchpad bug in References) in their clouds. For services that do not have a fix, or where fixes cannot be applied in existing deployments, we advise not using the debug configuration for affected services in production environments.
Contacts / References
- This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0046
- Original LaunchPad Bug : https://bugs.launchpad.net/ironic/+bug/1425206
- OpenStack Security ML : openstack-security@lists.openstack.org
- OpenStack Security Group : https://launchpad.net/~openstack-ossg
- Pecan : http://www.pecanpy.org/
