[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)
Bug #1516765 reported by
Matt Riedemann
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Fix Released
|
High
|
Matt Riedemann | ||
| Juno |
Won't Fix
|
Undecided
|
Unassigned | ||
| Kilo |
Fix Released
|
High
|
Tony Breeds | ||
| Liberty |
Fix Released
|
High
|
Matt Riedemann | ||
| Mitaka |
Fix Released
|
High
|
Matt Riedemann | ||
| OpenStack Security Advisory |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
This code dumps the connection_info dict into the StorageError message:
https:/
As can be seen a few lines later, auth_password can be in that dict:
https:/
So the password would be leaked into the error message that's raised up. This could eventually get back to the logs or a user if not handled properly.
CVE References
| tags: | added: kilo-backport-potential liberty-backport-potential |
| tags: | added: juno-backport-potential |
| tags: | removed: juno-backport-potential |
| Changed in nova: | |
| status: | Fix Committed → Fix Released |
| information type: | Public → Public Security |
| summary: |
xenapi: volume_utils._parse_volume_info can leak connection password via - StorageError + StorageError (CVE-2015-8749) |
| Changed in ossa: | |
| status: | Triaged → In Progress |
| Changed in ossa: | |
| status: | In Progress → Fix Released |
| tags: |
added: in-stable-kilo removed: kilo-backport-potential liberty-backport-potential |
| summary: |
- xenapi: volume_utils._parse_volume_info can leak connection password via - StorageError (CVE-2015-8749) + [OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak + connection password via StorageError (CVE-2015-8749) |
To post a comment you must log in.

See related bug 1321785 for obfuscating the block device mapping connection_info dict.