Bugzilla – Bug 1142617
VUL-0: CVE-2019-0202: storm: Apache Storm Logviewer file system access vulnerability
Last modified: 2020-10-21 09:23:25 UTC
oss-sec [CVE-2019-0202] Apache Storm Logviewer file system access vulnerability In Apache Storm versions 0.9.1-incubating to 1.2.2, it is possible to read files off the host's file system that were not intended to be accessible via these endpoints. Mitigation: Upgrade to Apache Storm 1.2.3 or later. Credit: Stig Rohde Døssing for discovery and fix References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0202 http://seclists.org/oss-sec/2019/q3/78
Tracked all codestreams as affected
I think we can close this. It is mitigated as we don't ship a configuration for Logviewer (Johannes verified that) and there is a version update accepted to Cloud 9 (thanks to Johannes for that).
(In reply to Joseph Davis from comment #4) > I think we can close this. It is mitigated as we don't ship a configuration > for Logviewer (Johannes verified that) Thanks for the analysis. Please assign completed bugs to security-team@suse.de.
SUSE-SU-2020:2876-1: An update that fixes 9 vulnerabilities, contains 10 features is now available. Category: security (critical) Bug References: 1117080,1142617,1143163,1172450,1174583,1175484,1175986 CVE References: CVE-2018-11779,CVE-2018-17954,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2019-0202,CVE-2020-11110,CVE-2020-17376,CVE-2020-25032 JIRA References: SOC-10300,SOC-10522,SOC-11184,SOC-11223,SOC-11364,SOC-5480,SOC-9008,SOC-9779,SOC-9974,SOC-9998 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): crowbar-core-6.0+git.1598519900.770074aa7-3.28.4, grafana-6.7.4-3.17.1, grafana-natel-discrete-panel-0.0.9-4.3.3, openstack-cinder-13.0.10~dev16-3.25.3, openstack-dashboard-14.1.1~dev7-3.18.3, openstack-ironic-11.1.5~dev16-3.22.3, openstack-ironic-python-agent-3.3.4~dev5-3.16.2, openstack-manila-7.4.2~dev54-4.27.3, openstack-neutron-13.0.8~dev95-3.28.3, openstack-nova-18.3.1~dev54-3.28.3, rubygem-crowbar-client-3.9.3-3.9.1, storm-1.2.3-3.3.4 SUSE OpenStack Cloud 9 (src): ardana-ansible-9.0+git.1596813072.110811d-3.25.2, ardana-cinder-9.0+git.1596129576.0b3d3ce-3.13.2, ardana-cobbler-9.0+git.1588258487.3acf8ad-3.16.2, ardana-installer-ui-9.0+git.1569535129.ca87ef0-3.13.2, ardana-opsconsole-ui-9.0+git.1566593422.813e56c-4.13.2, ardana-osconfig-9.0+git.1597427032.a062830-3.19.2, grafana-6.7.4-3.17.1, grafana-natel-discrete-panel-0.0.9-4.3.3, openstack-cinder-13.0.10~dev16-3.25.3, openstack-dashboard-14.1.1~dev7-3.18.3, openstack-ironic-11.1.5~dev16-3.22.3, openstack-ironic-python-agent-3.3.4~dev5-3.16.2, openstack-manila-7.4.2~dev54-4.27.3, openstack-neutron-13.0.8~dev95-3.28.3, openstack-nova-18.3.1~dev54-3.28.3, python-Flask-Cors-3.0.3-4.3.2, storm-1.2.3-3.3.4, venv-openstack-cinder-13.0.10~dev16-3.22.3, venv-openstack-horizon-14.1.1~dev7-4.21.3, venv-openstack-ironic-11.1.5~dev16-4.17.2, venv-openstack-manila-7.4.2~dev54-3.23.2, venv-openstack-neutron-13.0.8~dev95-6.21.3, venv-openstack-nova-18.3.1~dev54-3.21.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.