Comment 7 for bug 1343604
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: Exceptions thrown by execute() return a command that potentially includes passwords | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
We should be looking more precisely at the affected list and check which projects are using execute() with command that have password passed on the command line.
For each identified affected project we'll need a target series and a patch for each affected branch (we are looking at 12 (stable) + 6 (master) + 3 (oslo) = 21 potential reviews!)
In the meantime, this is impact description draft #1:
Title: Potential password leak when shell command fail
Reporter: Amrith Kumar (Tesora)
Products: Cinder (2013.2 versions up to 2013.2.3,
Glance (2013.2 versions up to 2013.2.3,
Heat (2013.2 versions up to 2013.2.3,
Keystone (2013.2 versions up to 2013.2.3)
Neutron (2013.2 versions up to 2013.2.3,
Nova (2013.2 versions up to 2013.2.3,
Trove (2014.1 versions up to 2014.1.1)
Description:
Amrith Kumar from Tesora reported a vulnerability in the processutils execute function available from oslo-incubator and which is copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that fail. All services are impacted.