OSSA-2014-036: Potential leak of passwords into log files¶
October 15, 2014
Nova: up to 2014.1.3
Cinder: up to 2014.1.3
Trove: up to 2014.1.2
Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project’s code. An attacker with read access to the services’ logs may obtain passwords used as a parameter of a command that has failed (CVE-2014-7230) or when mask_password did not mask passwords properly (CVE-2014-7231). All Cinder, Nova and Trove setups are affected.
Amrith Kumar from Tesora (CVE-2014-7230, CVE-2014-7231)