939348 – (CVE-2015-5160) VUL-0: CVE-2015-5160: libvirt: leaks ceph ids on the commandline

Bug 939348 (CVE-2015-5160) - VUL-0: CVE-2015-5160: libvirt: leaks ceph ids on the commandline

Summary: VUL-0: CVE-2015-5160: libvirt: leaks ceph ids on the commandline

Status:	RESOLVED UPSTREAM

Alias:	CVE-2015-5160

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	James Fehlig
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:RedHat:CVE-2015-5160:2.1:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-07-24 09:14 UTC by Marcus Meissner
Modified:	2016-04-27 19:08 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 4 Swamp Workflow Management 2015-07-24 21:59:33 UTC

bugbot adjusting priority

Comment 8 James Fehlig 2015-08-03 22:26:47 UTC

There have been no further discussions on the libvirt-security list, and I cannot access the Redhat bug either, so don't know the status of the embargo.

WRT affected products, I think all are affected if customers are using any of the network-based block drivers *with* auth credentials. But as noted in #5, I don't think there is much we can do about it beyond "making sure users are aware
of the limitation as it stands".

Comment 10 Andreas Stieger 2015-10-13 11:07:53 UTC

Including by reference:
https://www.redhat.com/archives/libvir-list/2011-November/msg00853.html

Upstream is aware of this limitation. Not fixable directly. Users should exercise caution regarding ceph IDs leaked on the command line and adjust their security posture accordingly.