OSSA-2013-031: Ceilometer DB2/MongoDB backend password leak

OSSA-2013-031: Ceilometer DB2/MongoDB backend password leak¶

Date:: November 25, 2013
CVE:: CVE-2013-6384

Affects¶

Ceilometer: All supported versions

Description¶

Eric Brown from IBM reported an information leak in Ceilometer logs. The password for the DB2 or MongoDB backends was logged at INFO level in the ceilometer-api logs. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB backends are affected.

Patches¶

https://review.openstack.org/#/c/56396 (Havana)
https://review.openstack.org/#/c/54553 (Icehouse)

Credits¶

Eric Brown from IBM (CVE-2013-6384)

References¶

this page last updated: 2024-03-18 15:52:07

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.