OpenStack Compute (nova)

  1. Series icehouse
  2. Bug #1343604
  3. Comment #47

Comment 47 for bug 1343604

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Exceptions thrown, and messages logged by execute() may include passwords

Proposed fixes can be tracked here:
  https://review.openstack.org/#/q/I3b49b1d667f6ade9ae3f6765d735440a3e838917,n,z

So far, only Cinder, Nova and Trove have been confirmed. Here is the updated impact description:

Title: Potential password leak to log when shell command fail or because of incorrect password masking
Reporter: Amrith Kumar (Tesora)
Products: Cinder, Nova, Trove
Versions: up to 2013.2.4, 2014.1 versions up to 2014.1.1

Description:
Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that have failed or when the mask_password did not mask password properly. All services are impacted.