OSSA-2014-036: Potential leak of passwords into log files

Date:October 15, 2014
CVE:CVE-2014-7230, CVE-2014-7231

Affects

  • Nova: up to 2014.1.3
  • Cinder: up to 2014.1.3
  • Trove: up to 2014.1.2

Description

Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project’s code. An attacker with read access to the services’ logs may obtain passwords used as a parameter of a command that has failed (CVE-2014-7230) or when mask_password did not mask passwords properly (CVE-2014-7231). All Cinder, Nova and Trove setups are affected.

Credits

  • Amrith Kumar from Tesora (CVE-2014-7230, CVE-2014-7231)