openstack/security-doc
Code Issues Proposed changes
Files
f7df1f4041041cea06afd0cf811ccee6cc29b76c
security-doc/security-notes/OSSN-0046
Nathan Kinder 10ca18f213 Correct line-wrapping for OSSN-0046 
OSSNs should be line-wrapped at 72 characters to behave properly
in MUAs.  This corrects the line-wrapping for the recently merged
OSSN-0046.

Change-Id: I500867a6862fbb372faced682926e216d880c26c
2015-04-30 19:10:04 -07:00

41 lines
1.7 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Setting services to debug mode can also set Pecan to debug
---
### Summary ###
When debug mode is set for a service using Pecan (via --debug or
CONF.debug=True) Pecan is also set to debug. This can result in
accidental information disclosures.
### Affected Services / Software ###
Blazar, Ceilometer, Cue, Gnocchi, Ironic, Kite, Libra, Pecan, Tuskar
### Discussion ###
Although it's best practice to run production environments with
debugging functionality disabled, experience shows us that many
deployers choose to run OpenStack with debugging enabled to aid with
administration and fault finding.
When Pecan is running in debug mode, the following capabilities are made
available to anyone who can interact with the API service:
* Retrieve a stack trace of failed Pecan calls
* Retrieve a full list of environment variables containing potentially
sensitive information such as API credentials, passwords etc.
* Set an execution breakpoint which hangs the service with a pdb shell,
resulting in a denial of service
### Recommended Actions ###
At time of writing, Ceilometer, Gnocchi and Ironic have released fixes.
Deployers are encouraged to apply these fixes (see launchpad bug in
References) in their clouds. For services that do not have a fix, or
where fixes cannot be applied in existing deployments, we advise not
using the debug configuration for affected services in production
environments.
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0046
Original LaunchPad Bug : https://bugs.launchpad.net/ironic/+bug/1425206
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Pecan : http://www.pecanpy.org/
View Git Blame Copy Permalink