Nova Server Resource Faults Leak External Exception Details (CVE-2019-14433)

Bug #1839426 reported by Denis Meltsaykin on 2019-08-08
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Critical
Roman Lubianyi
7.0.x
Critical
Roman Lubianyi

Bug Description

Check whether 9.x-Mitaka is vulnerable to the CVE: [OSSA-2019-003] Nova Server Resource Faults Leak External Exception Details (CVE-2019-14433)

Details:

:Date: August 06, 2019
:CVE: CVE-2019-14433

Affects
~~~~~~~
- Nova: <17.0.12,>=18.0.0<18.2.2,>=19.0.0<19.0.2

Description
~~~~~~~~~~~
Donny Davis with Intel reported a vulnerability in Nova Compute
resource fault handling. If an API request from an authenticated user
ends in a fault condition due to an external exception, details of the
underlying environment may be leaked in the response and could include
sensitive configuration or other data.

Patches
~~~~~~~
- https://review.openstack.org/674908 (Ocata)
- https://review.openstack.org/674877 (Pike)
- https://review.openstack.org/674859 (Queens)
- https://review.openstack.org/674848 (Rocky)
- https://review.openstack.org/674828 (Stein)
- https://review.openstack.org/674821 (Train)

Credits
~~~~~~~
- Donny Davis from Intel (CVE-2019-14433)

References
~~~~~~~~~~
- https://launchpad.net/bugs/1837877
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14433

Changed in mos:
assignee: MOS Maintenance (mos-maintenance) → Roman Lubianyi (rlubianyi)
Denis Meltsaykin (dmeltsaykin) wrote :
Changed in mos:
status: Confirmed → Fix Committed
Denis Meltsaykin (dmeltsaykin) wrote :

Fix for Kilo is commited: https://review.fuel-infra.org/#/c/41463/1 tested manually.

Pavel Glazov (pglazovv) wrote :

Verified
Error message for non-admin users:
Fault OSError
Message Code 500

Changed in mos:
status: Fix Committed → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers