Setting services to debug mode can also set Pecan to debug
---

### Summary ###
When debug mode is set for a service using Pecan (via --debug or
CONF.debug=True) Pecan is also set to debug. This can result in
accidental information disclosures.

### Affected Services / Software ###
Blazar, Ceilometer, Cue, Gnocchi, Ironic, Kite, Libra, Pecan, Tuskar

### Discussion ###
Although it's best practice to run production environments with
debugging functionality disabled, experience shows us that many
deployers choose to run OpenStack with debugging enabled to aid with
administration and fault finding.

When Pecan is running in debug mode, the following capabilities are made
available to anyone who can interact with the API service:

* Retrieve a stack trace of failed Pecan calls
* Retrieve a full list of environment variables containing potentially
sensitive information such as API credentials, passwords etc.
* Set an execution breakpoint which hangs the service with a pdb shell,
resulting in a denial of service

### Recommended Actions ###
At time of writing, Ceilometer, Gnocchi and Ironic have released fixes.
Deployers are encouraged to apply these fixes (see launchpad bug in
References) in their clouds. For services that do not have a fix, or
where fixes cannot be applied in existing deployments, we advise not
using the debug configuration for affected services in production
environments.

### Contacts / References ###
Author: Robert Clark, IBM
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0046
Original LaunchPad Bug : https://bugs.launchpad.net/ironic/+bug/1425206
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Pecan : http://www.pecanpy.org/