So far, only Cinder, Nova and Trove have been confirmed. Here is the updated impact description:
Title: Potential password leak to log when shell command fail or because of incorrect password masking
Reporter: Amrith Kumar (Tesora)
Products: Cinder, Nova, Trove
Versions: up to 2013.2.4, 2014.1 versions up to 2014.1.1
Description:
Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that have failed or when the mask_password did not mask password properly. All services are impacted.
Proposed fixes can be tracked here: /review. openstack. org/#/q/ I3b49b1d667f6ad e9ae3f6765d7354 40a3e838917, n,z
https:/
So far, only Cinder, Nova and Trove have been confirmed. Here is the updated impact description:
Title: Potential password leak to log when shell command fail or because of incorrect password masking
Reporter: Amrith Kumar (Tesora)
Products: Cinder, Nova, Trove
Versions: up to 2013.2.4, 2014.1 versions up to 2014.1.1
Description: execute( ) and strutils. mask_password( ) functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that have failed or when the mask_password did not mask password properly. All services are impacted.
Amrith Kumar from Tesora reported two vulnerabilities in the processutils.