OSSA-2014-036: Potential leak of passwords into log files

Date:

October 15, 2014

CVE:

CVE-2014-7230, CVE-2014-7231

Affects

• Nova: up to 2014.1.3

• Cinder: up to 2014.1.3

• Trove: up to 2014.1.2

Description

Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project’s code. An attacker with read access to the services’ logs may obtain passwords used as a parameter of a command that has failed (CVE-2014-7230) or when mask_password did not mask passwords properly (CVE-2014-7231). All Cinder, Nova and Trove setups are affected.

Patches

• https://review.openstack.org/121382 (Icehouse)

• https://review.openstack.org/126665 (Icehouse)

• https://review.openstack.org/121096 (Icehouse)

• https://review.openstack.org/126699 (Icehouse)

• https://review.openstack.org/121416 (Icehouse)

• https://review.openstack.org/126594 (Juno)

• https://review.openstack.org/126592 (Juno)

• https://review.openstack.org/116927 (Kilo)

• https://review.openstack.org/126052 (Kilo)

• https://review.openstack.org/116982 (Kilo)

• https://review.openstack.org/126047 (Kilo)

• https://review.openstack.org/121417 (Kilo)

Credits

• Amrith Kumar from Tesora (CVE-2014-7230, CVE-2014-7231)

References

• https://launchpad.net/bugs/1377981

• https://launchpad.net/bugs/1343604

• https://launchpad.net/bugs/1345233

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7230

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7231