OSSA-2015-008: Potential Keystone cache backend password leak in log

OSSA-2015-008: Potential Keystone cache backend password leak in log

Date:May 04, 2015
CVE:CVE-2015-3646

Affects

  • Keystone: versions through 2014.1.4, and 2014.2 versions through 2014.2.3

Description

Eric Brown from VMware reported a vulnerability in Keystone. The backend_argument configuration option content is being logged, and it may contain sensitive information for specific backends (like a password for MongoDB). An attacker with read access to Keystone logs may therefore obtain sensitive data about certain backends. All Keystone setups are potentially impacted.

Credits

  • Eric Brown from VMware (CVE-2015-3646)

Notes

  • This fix will be included in future 2014.1.5 (icehouse) and 2014.2.4 (juno) releases.
  • The 2015.1.0 (kilo) release is not affected.
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.