[Bug 1999665] Re: Heat stack 'hidden' and heat.conf 'encrypt_parameters_and_properties' settings are not honored
Corey Bryant
1999665 at bugs.launchpad.net
Thu Mar 9 15:00:29 UTC 2023
This has been uploaded to the kinetic and jammy unapproved queues:
https://launchpad.net/ubuntu/kinetic/+queue?queue_state=1&queue_text=heat
https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=heat
** Description changed:
+ [Impact]
+
+ This is a potential security vulnerability. The upstream story has been
+ marked as 'Vulnerability or Security-related' and is awaiting security
+ triage: https://storyboard.openstack.org/#!/story/2010484
+
+ [Test Case]
+
After a stack is created using:
openstack stack create --parameter password=test123 -t
simple_instance.yaml -e params.yaml my_simple_stack
- where 'simple_instance.yaml' defines a simple VM with a 'hidden'
+ where 'simple_instance.yaml' defines a simple VM with a 'hidden'
parameter as below:
- password:
- type: string
- hidden: true
- description: The password
+ password:
+ type: string
+ hidden: true
+ description: The password
'hidden' is honored when you run:
openstack stack show my_simple_stack | grep password
- | | password: '******'
+ | | password: '******'
- but that's not the case for the below command as the API returns the
+ but that's not the case for the below command as the API returns the
'hidden' parameter in plain text:
openstack stack environment show my_simple_stack3 | grep password
- password: test123
+ password: test123
- This behavior is observed in Focal/Ussuri and Jammy/Yoga and happens
- regardless of the user role used. Namely two users with either reader
- or member (admin role as well but this may be by design) face the same
- issue. For example, if user1 created the stack, both user1 and user2
+ This behavior is observed in Focal/Ussuri and Jammy/Yoga and happens
+ regardless of the user role used. Namely two users with either reader
+ or member (admin role as well but this may be by design) face the same
+ issue. For example, if user1 created the stack, both user1 and user2
(a user with either reader or admin role assigned) face the same issue
described above.
- Also it doesn't matter if heat.conf contains
- 'encrypt_parameters_and_properties = true', the issue is observed
+ Also it doesn't matter if heat.conf contains
+ 'encrypt_parameters_and_properties = true', the issue is observed
regardles of the value for this parameter.
Reproducer:
-----------
1. Create a simple stack where a 'hidden' parameter is used
- 2. Run 'openstack stack show <stack-id>', the hidden parameter will
+ 2. Run 'openstack stack show <stack-id>', the hidden parameter will
appear masked.
- 3. Run 'openstack stack environment show <stack-id>' the hidden
+ 3. Run 'openstack stack environment show <stack-id>' the hidden
parameter will appear in plain text.
- 4. Add 'encrypt_parameters_and_properties = true' to heat.conf and
+ 4. Add 'encrypt_parameters_and_properties = true' to heat.conf and
restart the heat services
5. Repeat steps 1-3, issue should be reproduced
- 6. Set option in step 4 as 'false' and repeat steps 1-3, issue should
+ 6. Set option in step 4 as 'false' and repeat steps 1-3, issue should
be reproduced
+
+ [Regression Potential]
+ This changes the behavior of the API. If software depends on a hidden parameter being returned, the code will need to update the parameter to not be hidden.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to heat in Ubuntu.
https://bugs.launchpad.net/bugs/1999665
Title:
Heat stack 'hidden' and heat.conf 'encrypt_parameters_and_properties'
settings are not honored
Status in heat package in Ubuntu:
Fix Released
Status in heat source package in Jammy:
Triaged
Status in heat source package in Kinetic:
Triaged
Status in heat source package in Lunar:
Fix Released
Bug description:
[Impact]
This is a potential security vulnerability. The upstream story has
been marked as 'Vulnerability or Security-related' and is awaiting
security triage: https://storyboard.openstack.org/#!/story/2010484
[Test Case]
After a stack is created using:
openstack stack create --parameter password=test123 -t
simple_instance.yaml -e params.yaml my_simple_stack
where 'simple_instance.yaml' defines a simple VM with a 'hidden'
parameter as below:
password:
type: string
hidden: true
description: The password
'hidden' is honored when you run:
openstack stack show my_simple_stack | grep password
| | password: '******'
but that's not the case for the below command as the API returns the
'hidden' parameter in plain text:
openstack stack environment show my_simple_stack3 | grep password
password: test123
This behavior is observed in Focal/Ussuri and Jammy/Yoga and happens
regardless of the user role used. Namely two users with either reader
or member (admin role as well but this may be by design) face the same
issue. For example, if user1 created the stack, both user1 and user2
(a user with either reader or admin role assigned) face the same issue
described above.
Also it doesn't matter if heat.conf contains
'encrypt_parameters_and_properties = true', the issue is observed
regardles of the value for this parameter.
Reproducer:
-----------
1. Create a simple stack where a 'hidden' parameter is used
2. Run 'openstack stack show <stack-id>', the hidden parameter will
appear masked.
3. Run 'openstack stack environment show <stack-id>' the hidden
parameter will appear in plain text.
4. Add 'encrypt_parameters_and_properties = true' to heat.conf and
restart the heat services
5. Repeat steps 1-3, issue should be reproduced
6. Set option in step 4 as 'false' and repeat steps 1-3, issue should
be reproduced
[Regression Potential]
This changes the behavior of the API. If software depends on a hidden parameter being returned, the code will need to update the parameter to not be hidden.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/heat/+bug/1999665/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list