Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D390510692 for ; Mon, 27 Apr 2015 11:05:39 +0000 (UTC) Received: (qmail 1091 invoked by uid 500); 27 Apr 2015 11:05:39 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 1071 invoked by uid 500); 27 Apr 2015 11:05:39 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 1062 invoked by uid 500); 27 Apr 2015 11:05:39 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 1059 invoked by uid 99); 27 Apr 2015 11:05:39 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Apr 2015 11:05:39 +0000 Date: Mon, 27 Apr 2015 11:05:39 +0000 (UTC) From: "Rohit Yadav (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Assigned] (CLOUDSTACK-7049) APIs return sensitive information which CloudStack does not manage and which caller did not request MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-7049?page=3Dcom.atl= assian.jira.plugin.system.issuetabpanels:all-tabpanel ] Rohit Yadav reassigned CLOUDSTACK-7049: --------------------------------------- Assignee: Rohit Yadav > APIs return sensitive information which CloudStack does not manage and wh= ich caller did not request > -------------------------------------------------------------------------= -------------------------- > > Key: CLOUDSTACK-7049 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-704= 9 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the defa= ult.)=20 > Components: API > Affects Versions: 4.4.0 > Reporter: Demetrius Tsitrelis > Assignee: Rohit Yadav > Priority: Critical > Labels: security > Fix For: 4.5.1 > > > CloudStack stores sensitive information such as passwords and keys. Some= of this information it creates such as the users=E2=80=99 secret keys. Ad= mins configure CloudStack with the other types of sensitive information suc= h as host passwords, S3 secret keys, etc. > =20 > There are two problems with the way the API returns sensitive information= : > 1) Many of the APIs return the entire state of the modified object o= n which they operate. For example, if the API to remove a NIC from a VM is= called then the response returns the VM password even though the caller di= d not ask for it. > 2) Some of the APIs return sensitive information which is not create= d nor managed by CloudStack. For instance, the listS3s API returns the S3 = secret key. There doesn=E2=80=99t seem to be any legitimate use case for r= eturning this category of information; this type of sensitive data could go= into CloudStack for its internal use but should not come out via the API (= i.e., CloudStack is not a password manager app!). > Substantial changes cannot be made to the API without bumping the API ver= sion. A near-term mitigation for these problems then is simply to return e= mpty strings in the response for the sensitive information which is not req= uested or which is not managed by CloudStack. So for the removeNicFromVirt= ualMachine API, for instance, return an empty string for the "password" val= ue. A caller could still use getVMPassword to obtain the password if he ne= eded it since it is CloudStack which generated the VM password. For the S3= case, ALWAYS return an empty value for the S3 secret key since that key is= managed by Amazon and not CloudStack. -- This message was sent by Atlassian JIRA (v6.3.4#6332)