Bugzilla – Bug 852177
VUL-0: CVE-2013-6384: openstack-ceilometer: Ceilometer DB2/MongoDB backend password leak
Last modified: 2016-04-27 19:55:37 UTC
CVE-2013-6384 Eric Brown from IBM reported an information leak in Ceilometer logs. The password for the DB2 or MongoDB backends was logged at INFO level in the ceilometer-api logs. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB backends are affected. References: http://www.openwall.com/lists/oss-security/2013/11/22/3 https://bugs.launchpad.net/ceilometer/+bug/1244476 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6384 https://bugzilla.redhat.com/show_bug.cgi?id=1033715
Low priority as ceilometer is tech preview in 2.0... But the fix looks trivial, so we should just do it.
bugbot adjusting priority
Grizzly is not affected, ceilometer/storage/impl_mongodb.py has the following code: opts = self._parse_connection_url(conf.database_connection) LOG.info('connecting to MongoDB on %s:%s', opts['host'], opts['port']) Where opts['username'] and opts['password'] are never logged: def _parse_connection_url(self, url): opts = {} result = urlparse.urlparse(url) ... if auth: opts['username'], opts['password'] = auth.split(':')
Havana fix currently in Cloud:OpenStack:Havana:Staging, will land in Devel:Cloud:3.
So the fix is in D:C:3:Staging meanwhile. Will be part of next Cloud release. Closing therefore.