Bugzilla – Bug 961145
VUL-0: CVE-2015-8749 openstack-nova: Xen connection password leak in logs via StorageError
Last modified: 2020-07-26 22:02:32 UTC
rh#1296837 Reporter: Matt Riedemann (IBM) Products: Nova Affects: >= 2014.2 <= 2015.1.2, ==12.0.0 Description: Matt Riedemann from IBM reported an information disclosure vulnerability in Nova. If a StorageError occurs when attempting to connect a volume using the Xen API, the connection parameters will be logged. These parameters may include credentials that are not masked. An attacker with read access to Nova logs could use these credentials with the Xen API directly. Only Nova deployments using the Xen backend are affected by this flaw. References: https://bugzilla.redhat.com/show_bug.cgi?id=1296837 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8749 http://seclists.org/oss-sec/2016/q1/43 https://bugs.launchpad.net/bugs/1321785
bugbot adjusting priority
In SUSE-Cloud we support Xen via libvirt which is different from how most people use Xen in OpenStack, which is why it is not working so well and most of our users use KVM instead. upstream fix was https://review.openstack.org/#/c/233151/ and I checked that our Cloud6 oslo.versionedobjects-0.10.0 does not contain it atm
The correct bug for the CVE is https://bugs.launchpad.net/nova/+bug/1516765 This is about xenapi, which is not what we support. We support libvirt+xen. So doesn't impact us. Security team: is WONTFIX fine?
If it does not affect us, yes please close.
As discussed, closing.