OSSA-2014-021: User token leak to message queue in pyCADF notifier middleware

OSSA-2014-021: User token leak to message queue in pyCADF notifier middleware

Date

June 25, 2014

CVE

CVE-2014-4615

Affects

  • Neutron: 2014.1 versions up to 2014.1.1

  • Ceilometer: 2013.2 versions up to 2013.2.3, 2014.1 versions up to 2014.1.1

Description

Zhi Kun Liu from IBM reported a vulnerability in the notifier middleware available in the PyCADF library and formerly copied into Neutron and Ceilometer code. An attacker with read access to the message queue may obtain authentication tokens used in REST requests (X_AUTH_TOKEN) that goes through the notifier middleware. All services using the notifier middleware configured after the auth_token middleware pipeline are impacted.

Credits

  • Zhi Kun Liu from IBM (CVE-2014-4615)

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.