Bug 863484 (CVE-2014-1948) - VUL-0: CVE-2014-1948: openstack-glance: Swift store backend password leak in Glance logs
Summary: VUL-0: CVE-2014-1948: openstack-glance: Swift store backend password leak in ...
Status: RESOLVED FIXED
Alias: CVE-2014-1948
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-03-13
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3-uptu:56470
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-12 10:59 UTC by Alexander Bergmann
Modified: 2014-03-26 23:04 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-02-12 10:59:27 UTC 
Via OSS:12106

Title: Glance Swift store backend password leak
Reporter: Nikhil Komawar (Rackspace)
Products: Glance
Versions: 2013.2 versions up to 2013.2.1

Description:
Nikhil Komawar from Rackspace reported an information leak in Glance
logs. The password for the Swift store backend is logged at WARNING
level as part of the URL when authentication to a store fails if
image location is not disabled by policy or the store is a
single-tenant configuration. An attacker with access to the logs
(local shell, log aggregation system access, or accidental leak) may
leverage this vulnerability to elevate privileges and gain direct
full access to the Glance Swift store backend. Only Glance setups
using the Swift store backend are affected.

References:
https://launchpad.net/bugs/1275062
http://comments.gmane.org/gmane.comp.security.oss.general/12106
Comment 1 Swamp Workflow Management 2014-02-12 23:00:16 UTC 
bugbot adjusting priority
Comment 2 Alexander Bergmann 2014-02-13 10:19:08 UTC 
CVE-2014-1948 was assigned to this issue.

Red Hat Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1064589
Comment 3 Vincent Untz 2014-02-13 10:29:47 UTC 
Sascha: would you have time to submit the update? It seems to only impact Havana.
Comment 4 Vincent Untz 2014-02-19 21:18:00 UTC 
Actually, we already had the update ready, so I just went ahead and submitted it. (Only affects Cloud 3, according to report).
Comment 5 Vincent Untz 2014-02-19 21:18:44 UTC 
sr#33189
Comment 8 Swamp Workflow Management 2014-02-27 09:56:17 UTC 
The SWAMPID for this issue is 56469.
This issue was rated as moderate.
Please submit fixed packages until 2014-03-13.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 9 Bernhard Wiedemann 2014-03-07 15:00:29 UTC 
This is an autogenerated message for OBS integration:
This bug (863484) was mentioned in
https://build.opensuse.org/request/show/225059 Factory / openstack-glance
Comment 10 Marcus Meissner 2014-03-26 13:58:20 UTC 
released
Comment 11 Swamp Workflow Management 2014-03-26 19:45:40 UTC 
Update released for: openstack-glance, openstack-glance-doc, openstack-glance-test, python-glance
Products:
SUSE-CLOUD 3.0 (x86_64)
Comment 12 Swamp Workflow Management 2014-03-26 23:04:35 UTC 
SUSE-SU-2014:0453-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 863484
CVE References: CVE-2014-1948
Sources used:
SUSE Cloud 3 (src):    openstack-glance-2013.2.3.dev1.g9d89b8e-0.7.3, openstack-glance-doc-2013.2.3.dev1.g9d89b8e-0.7.3