OSSA-2019-003: Nova Server Resource Faults Leak External Exception Details

Date:

August 06, 2019

CVE:

CVE-2019-14433

Affects

• Nova: <17.0.12,>=18.0.0<18.2.2,>=19.0.0<19.0.2

Description

Donny Davis with Intel reported a vulnerability in Nova Compute resource fault handling. If an API request from an authenticated user ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response and could include sensitive configuration or other data.

Patches

• https://review.openstack.org/674908 (Ocata)

• https://review.openstack.org/674877 (Pike)

• https://review.openstack.org/674859 (Queens)

• https://review.openstack.org/674848 (Rocky)

• https://review.openstack.org/674828 (Stein)

• https://review.openstack.org/674821 (Train)

Credits

• Donny Davis from Intel (CVE-2019-14433)

References

• https://launchpad.net/bugs/1837877

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14433

Notes

• The stable/ocata and stable/pike branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy.