Bugzilla – Bug 929628
VUL-1: CVE-2015-3646: openstack-keystone: backend_argument configuration option may contain sensitive info
Last modified: 2016-10-20 10:23:34 UTC
Quoting from launchpad upstream bug: The keystone.conf has an option backend_argument to set various options for the caching backend. As documented, some of the potential values can contain a password. Snippet from http://docs.openstack.org/developer/keystone/developing.html#dogpile-cache-based-mongodb-nosql-backend [cache] # Global cache functionality toggle. enabled = True # Referring to specific cache backend backend = keystone.cache.mongo # Backend specific configuration arguments backend_argument = db_hosts:localhost:27017 backend_argument = db_name:ks_cache backend_argument = cache_collection:cache backend_argument = username:test_user backend_argument = password:test_password As a result, passwords can be leaked to the keystone logs since the config options is not marked secret. CVE-2015-3646 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3646 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3646.html https://bugs.launchpad.net/keystone/+bug/1443598
bugbot adjusting priority
Change is in all our OpenStack packages since May and we dont support setting the backend_argument in crowbar
SUSE-SU-2016:2325-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 929628,960015,960601,967356 CVE References: CVE-2015-3646,CVE-2015-7548 Sources used: SUSE OpenStack Cloud 5 (src): openstack-keystone-2014.2.4.juno-17.1, openstack-keystone-doc-2014.2.4.juno-17.2, openstack-nova-2014.2.4.juno-29.1, openstack-nova-doc-2014.2.4.juno-29.1, openstack-swift-2.1.0-14.1, openstack-swift-doc-2.1.0-14.1