Bugzilla – Bug 899190
VUL-1: CVE-2014-7230 CVE-2014-7231: openstack-cinder,openstack-nova,openstack-trove: potential leak of passwords into log files
Last modified: 2015-08-17 10:58:30 UTC
via oss-sec A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Potential leak of passwords into log files Reporter: Amrith Kumar (Tesora) Products: Cinder, Nova, Trove Versions: up to 2013.2.3, 2014.1 versions up to 2014.1.2 Description: Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that have failed or when the mask_password did not mask passwords properly. References: https://launchpad.net/bugs/1343604 https://launchpad.net/bugs/1345233 Thanks in advance, -- Tristan Cacqueray OpenStack Vulnerability Management Team
From Mitre: There are (at least) two CVE IDs needed because of the different vulnerability types. The older code in which processutils.execute was simply logging cmd directly, without any masking step, can be considered an instance of the http://cwe.mitre.org/data/definitions/532.html issue. For this, use CVE-2014-7230. The older code with a short _FORMAT_PATTERNS list, with a later replacement by longer _FORMAT_PATTERNS_1 and _FORMAT_PATTERNS_2 lists, can be considered an instance of the http://cwe.mitre.org/data/definitions/184.html issue. Bug #1343604 mentions 'mask_password did not, for example, catch the usage ... /usr/sbin/mysqld --password=top-secret ... They did catch ... /usr/sbin/mysqld --password="top-secret" ... make the strings in strutils.mask_password more robust.' For this, use CVE-2014-7231. The additional complication is that there were apparently already releases with incomplete fixes for CVE-2014-7230. Separate CVE IDs are needed when parts of the problem were fixed in different releases. For example, Cinder 2013.2.4 contains a fix for the "Running cmd (subprocess)" logging problem but apparently does not contain a fix for the "Running cmd (SSH)" logging problem. The patch for the latter is shown in the https://git.openstack.org/cgit/openstack/trove/commit/?id=9672744f090d462cac5eb757ceaacd7122362708 commit. Is this a remaining vulnerability in Cinder 2013.2.4 and possibly other products? If so, then we will assign another CVE ID. - -- CVE assignment team, MITRE CVE Numbering Authority
bugbot adjusting priority
added updates with bnc+CVE refs to Icehouse and Havana packages in OBS
SUSE-SU-2014:1467-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (low) Bug References: 883950,894055,897815,899190,899198 CVE References: CVE-2014-3641,CVE-2014-7230,CVE-2014-7231 Sources used: SUSE Cloud 4 (src): openstack-cinder-2014.1.4.dev19.g80c0054-0.7.1, openstack-cinder-doc-2014.1.4.dev19.g80c0054-0.7.1
SUSE-SU-2015:0324-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (low) Bug References: 867922,897815,898371,899190,899199,901087,903013 CVE References: CVE-2014-3608,CVE-2014-3708,CVE-2014-7230,CVE-2014-7231,CVE-2014-8750 Sources used: SUSE Cloud 4 (src): openstack-nova-2014.1.4.dev49-0.7.1, openstack-nova-doc-2014.1.4.dev49-0.7.1