After looking more closely at the affected project usage, it's not as broad as it firsts sounded. Either service does not log the exception/mask_password, either vulnerable are used without any password/sensitive data on command line.
Yet here is a more concrete list of vulnerable code:
execute: [stable/havana]:
* cinder (cinder/brick/iscsi/iscsi.py:414),
* nova (no clear vulnerable usage, yet the exception is re-implemented in tools/esx/guest_tool.py and nova/virt/powervm/operator.py:213 is logging the exception)
After looking more closely at the affected project usage, it's not as broad as it firsts sounded. Either service does not log the exception/ mask_password, either vulnerable are used without any password/sensitive data on command line.
Yet here is a more concrete list of vulnerable code:
execute: [stable/havana]: brick/iscsi/ iscsi.py: 414), guest_tool. py and nova/virt/ powervm/ operator. py:213 is logging the exception)
* cinder (cinder/
* nova (no clear vulnerable usage, yet the exception is re-implemented in tools/esx/
mask_password: [stable/icehouse]: extensions/ mysql/service. py:85) zonemanager/ drivers/ brocade/ brcd_fc_ zone_client_ cli.py: 331),
* trove (trove/
execute: [stable/icehouse]:
* cinder (cinder/
* nova (unclear),
* trove (unclear)
mask_password: [master]: instance/ service. py:181) zonemanager/ drivers/ brocade/ brcd_fc_ zone_client_ cli.py: 336), guestagent/ strategies/ restore/ couchbase_ impl.py: 193)
* trove (trove/
execute: [master]:
* cinder (cinder/
* trove (trove/
@trove-coresec and @cinder-coresec: Can you please confirmed the impacted code ?
@nova-coresec: Can you please double check Nova codebase for those vulnerability ?