security-doc/security-notes/OSSN-0046
Luke Hinds 1bf55f1eb0 Added Authors to Security Notes
All OSSN authors, added under the "Author:" metadata field

Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a
Closes-Bug: #1599064
2016-07-11 10:51:07 +00:00

42 lines
1.7 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Setting services to debug mode can also set Pecan to debug
---
### Summary ###
When debug mode is set for a service using Pecan (via --debug or
CONF.debug=True) Pecan is also set to debug. This can result in
accidental information disclosures.
### Affected Services / Software ###
Blazar, Ceilometer, Cue, Gnocchi, Ironic, Kite, Libra, Pecan, Tuskar
### Discussion ###
Although it's best practice to run production environments with
debugging functionality disabled, experience shows us that many
deployers choose to run OpenStack with debugging enabled to aid with
administration and fault finding.
When Pecan is running in debug mode, the following capabilities are made
available to anyone who can interact with the API service:
* Retrieve a stack trace of failed Pecan calls
* Retrieve a full list of environment variables containing potentially
sensitive information such as API credentials, passwords etc.
* Set an execution breakpoint which hangs the service with a pdb shell,
resulting in a denial of service
### Recommended Actions ###
At time of writing, Ceilometer, Gnocchi and Ironic have released fixes.
Deployers are encouraged to apply these fixes (see launchpad bug in
References) in their clouds. For services that do not have a fix, or
where fixes cannot be applied in existing deployments, we advise not
using the debug configuration for affected services in production
environments.
### Contacts / References ###
Author: Robert Clark, IBM
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0046
Original LaunchPad Bug : https://bugs.launchpad.net/ironic/+bug/1425206
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Pecan : http://www.pecanpy.org/