2019-07-25 12:24:46 |
Donny Davis |
bug |
|
|
added bug |
2019-07-25 13:14:29 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2019-07-25 13:14:38 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2019-07-25 13:15:15 |
Jeremy Stanley |
bug |
|
|
added subscriber Nova Core security contacts |
2019-07-25 13:15:49 |
Jeremy Stanley |
description |
It would appear Nova is revealing information that may be sensitive in error messages
http://lists.openstack.org/pipermail/openstack-infra/2019-July/006426.html
I attempted to hard-reboot it, and it went into an error state. The
initial error in the server status was
{'message': 'Timed out during operation: cannot acquire state change lock (held by monitor=remoteDispatchDomainCreateWithFlags)', 'code': 500, 'created': '2019-07-25T07:25:25Z'}
After a short period, I tried again and got a different error state
{'message': "internal error: process exited while connecting to monitor: lc=,keyid=masterKey0,iv=jHURYcYDkXqGBu4pC24bew==,format=base64 -drive 'file=rbd:volumes/volume-41553c15-6b12-4137-a318-7caf6a9eb44c:id=cinder:auth_supported=cephx\\;none:mon_host=172.24.0.56\\:6789", 'code': 500, 'created': '2019-07-25T07:27:21Z'}
I don't know if this is a setting or a bug. Better to report and close than not say anything I guess. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
It would appear Nova is revealing information that may be sensitive in error messages
http://lists.openstack.org/pipermail/openstack-infra/2019-July/006426.html
I attempted to hard-reboot it, and it went into an error state. The
initial error in the server status was
{'message': 'Timed out during operation: cannot acquire state change lock (held by monitor=remoteDispatchDomainCreateWithFlags)', 'code': 500, 'created': '2019-07-25T07:25:25Z'}
After a short period, I tried again and got a different error state
{'message': "internal error: process exited while connecting to monitor: lc=,keyid=masterKey0,iv=jHURYcYDkXqGBu4pC24bew==,format=base64 -drive 'file=rbd:volumes/volume-41553c15-6b12-4137-a318-7caf6a9eb44c:id=cinder:auth_supported=cephx\\;none:mon_host=172.24.0.56\\:6789", 'code': 500, 'created': '2019-07-25T07:27:21Z'}
I don't know if this is a setting or a bug. Better to report and close than not say anything I guess. |
|
2019-07-25 14:00:55 |
Jeremy Stanley |
bug |
|
|
added subscriber Mohammed Naser |
2019-07-25 14:52:31 |
Mohammed Naser |
bug |
|
|
added subscriber Eric Fried |
2019-07-25 14:57:00 |
Mohammed Naser |
bug |
|
|
added subscriber Matt Riedemann |
2019-07-25 14:58:41 |
Mohammed Naser |
bug |
|
|
added subscriber melanie witt |
2019-07-25 15:55:01 |
Mohammed Naser |
bug |
|
|
added subscriber Dan Smith |
2019-07-25 18:11:53 |
Matt Riedemann |
nova: status |
New |
Triaged |
|
2019-07-25 18:11:55 |
Matt Riedemann |
nova: assignee |
|
Matt Riedemann (mriedem) |
|
2019-07-25 18:11:57 |
Matt Riedemann |
nova: importance |
Undecided |
High |
|
2019-07-26 15:04:43 |
Matt Riedemann |
attachment added |
|
WIP-Obfuscate-non-nova-server-fault-message.patch https://bugs.launchpad.net/nova/+bug/1837877/+attachment/5279421/+files/WIP-Obfuscate-non-nova-server-fault-message.patch |
|
2019-07-26 15:54:09 |
Matt Riedemann |
attachment added |
|
WIP patch with code fix https://bugs.launchpad.net/nova/+bug/1837877/+attachment/5279430/+files/WIP-Obfuscate-non-nova-server-fault-message.patch |
|
2019-07-26 16:15:30 |
Matt Riedemann |
attachment added |
|
WIP patch with code and test fix and release note https://bugs.launchpad.net/nova/+bug/1837877/+attachment/5279432/+files/WIP-Obfuscate-non-nova-server-fault-message.patch |
|
2019-07-26 19:55:22 |
Matt Riedemann |
nominated for series |
|
nova/stein |
|
2019-07-26 19:55:22 |
Matt Riedemann |
bug task added |
|
nova/stein |
|
2019-07-26 19:55:22 |
Matt Riedemann |
nominated for series |
|
nova/ocata |
|
2019-07-26 19:55:22 |
Matt Riedemann |
bug task added |
|
nova/ocata |
|
2019-07-26 19:55:22 |
Matt Riedemann |
nominated for series |
|
nova/rocky |
|
2019-07-26 19:55:22 |
Matt Riedemann |
bug task added |
|
nova/rocky |
|
2019-07-26 19:55:22 |
Matt Riedemann |
nominated for series |
|
nova/pike |
|
2019-07-26 19:55:22 |
Matt Riedemann |
bug task added |
|
nova/pike |
|
2019-07-26 19:55:22 |
Matt Riedemann |
nominated for series |
|
nova/queens |
|
2019-07-26 19:55:22 |
Matt Riedemann |
bug task added |
|
nova/queens |
|
2019-07-26 20:39:53 |
Matt Riedemann |
attachment added |
|
Stein cherry pick https://bugs.launchpad.net/nova/+bug/1837877/+attachment/5279517/+files/WIP-Obfuscate-non-nova-server-fault-message-stein.patch |
|
2019-07-26 20:40:09 |
Matt Riedemann |
nova/stein: status |
New |
In Progress |
|
2019-07-26 20:40:12 |
Matt Riedemann |
nova: status |
Triaged |
In Progress |
|
2019-07-26 20:40:14 |
Matt Riedemann |
nova/stein: importance |
Undecided |
High |
|
2019-07-26 20:51:46 |
Matt Riedemann |
attachment added |
|
Rocky cherry-pick patch. https://bugs.launchpad.net/nova/+bug/1837877/+attachment/5279518/+files/WIP-Obfuscate-non-nova-server-fault-message-rocky.patch |
|
2019-07-26 20:52:01 |
Matt Riedemann |
nova/rocky: status |
New |
In Progress |
|
2019-07-26 20:52:03 |
Matt Riedemann |
nova/rocky: importance |
Undecided |
High |
|
2019-07-26 21:02:47 |
Matt Riedemann |
attachment added |
|
Queens cherry-pick https://bugs.launchpad.net/nova/+bug/1837877/+attachment/5279519/+files/WIP-Obfuscate-non-nova-server-fault-message-queens.patch |
|
2019-07-26 21:03:05 |
Matt Riedemann |
nova/queens: status |
New |
In Progress |
|
2019-07-26 21:03:07 |
Matt Riedemann |
nova/queens: importance |
Undecided |
High |
|
2019-07-26 21:03:11 |
Matt Riedemann |
nova/stein: assignee |
|
Matt Riedemann (mriedem) |
|
2019-07-26 21:03:13 |
Matt Riedemann |
nova/rocky: assignee |
|
Matt Riedemann (mriedem) |
|
2019-07-26 21:03:14 |
Matt Riedemann |
nova/queens: assignee |
|
Matt Riedemann (mriedem) |
|
2019-07-26 21:37:09 |
Matt Riedemann |
attachment added |
|
pike fake driver power off patch https://bugs.launchpad.net/nova/+bug/1837877/+attachment/5279522/+files/Implement-power_off-power_on-for-the-FakeDriver-pike.patch |
|
2019-07-26 21:37:54 |
Matt Riedemann |
attachment added |
|
Pike cherry-pick https://bugs.launchpad.net/nova/+bug/1837877/+attachment/5279523/+files/WIP-Obfuscate-non-nova-server-fault-message-pike.patch |
|
2019-07-26 21:38:07 |
Matt Riedemann |
nova/pike: status |
New |
In Progress |
|
2019-07-26 21:38:09 |
Matt Riedemann |
nova/pike: importance |
Undecided |
High |
|
2019-07-26 21:38:11 |
Matt Riedemann |
nova/pike: assignee |
|
Matt Riedemann (mriedem) |
|
2019-07-29 14:07:45 |
Matt Riedemann |
attachment added |
|
ocata patches https://bugs.launchpad.net/nova/+bug/1837877/+attachment/5279813/+files/bug-1837877-ocata.zip |
|
2019-07-29 14:07:55 |
Matt Riedemann |
nova/ocata: status |
New |
In Progress |
|
2019-07-29 14:07:57 |
Matt Riedemann |
nova/ocata: importance |
Undecided |
High |
|
2019-07-29 14:07:59 |
Matt Riedemann |
nova/ocata: assignee |
|
Matt Riedemann (mriedem) |
|
2019-07-29 18:29:50 |
Jeremy Stanley |
ossa: status |
Incomplete |
Triaged |
|
2019-07-29 18:29:56 |
Jeremy Stanley |
ossa: importance |
Undecided |
High |
|
2019-07-29 18:30:00 |
Jeremy Stanley |
ossa: assignee |
|
Jeremy Stanley (fungi) |
|
2019-07-29 18:40:55 |
Jeremy Stanley |
ossa: status |
Triaged |
In Progress |
|
2019-07-29 22:40:20 |
Jeremy Stanley |
summary |
Error message reveals ceph information |
Nova Server Resource Faults Leak External Exception Details (CVE-2019-14433) |
|
2019-07-31 14:45:15 |
Jeremy Stanley |
ossa: status |
In Progress |
Fix Committed |
|
2019-07-31 16:15:19 |
Jeremy Stanley |
bug |
|
|
added subscriber Ryan Beisner |
2019-07-31 23:06:29 |
Jeremy Stanley |
bug |
|
|
added subscriber Joshua Padman |
2019-08-01 16:28:52 |
Jeremy Stanley |
bug |
|
|
added subscriber Corey Bryant |
2019-08-02 13:34:56 |
Corey Bryant |
bug |
|
|
added subscriber Sahid Orentino |
2019-08-06 13:59:37 |
Jeremy Stanley |
information type |
Private Security |
Public Security |
|
2019-08-06 14:40:08 |
Jeremy Stanley |
summary |
Nova Server Resource Faults Leak External Exception Details (CVE-2019-14433) |
[OSSA-2019-003] Nova Server Resource Faults Leak External Exception Details (CVE-2019-14433) |
|
2019-08-06 19:58:52 |
OpenStack Infra |
cve linked |
|
2019-14433 |
|
2019-08-07 04:24:01 |
Alex Murray |
bug |
|
|
added subscriber Alex Murray |
2019-08-07 05:20:57 |
OpenStack Infra |
nova: status |
In Progress |
Fix Released |
|
2019-08-07 16:11:51 |
OpenStack Infra |
nova/stein: status |
In Progress |
Fix Committed |
|
2019-08-08 07:05:22 |
OpenStack Infra |
nova/rocky: status |
In Progress |
Fix Committed |
|
2019-08-09 05:06:14 |
OpenStack Infra |
nova/queens: status |
In Progress |
Fix Committed |
|
2019-08-09 13:48:19 |
Jeremy Stanley |
ossa: status |
Fix Committed |
Fix Released |
|
2019-08-09 16:42:11 |
OpenStack Infra |
nova/pike: status |
In Progress |
Fix Committed |
|
2019-08-13 21:26:21 |
OpenStack Infra |
nova/ocata: status |
In Progress |
Fix Committed |
|
2019-11-14 14:05:06 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
It would appear Nova is revealing information that may be sensitive in error messages
http://lists.openstack.org/pipermail/openstack-infra/2019-July/006426.html
I attempted to hard-reboot it, and it went into an error state. The
initial error in the server status was
{'message': 'Timed out during operation: cannot acquire state change lock (held by monitor=remoteDispatchDomainCreateWithFlags)', 'code': 500, 'created': '2019-07-25T07:25:25Z'}
After a short period, I tried again and got a different error state
{'message': "internal error: process exited while connecting to monitor: lc=,keyid=masterKey0,iv=jHURYcYDkXqGBu4pC24bew==,format=base64 -drive 'file=rbd:volumes/volume-41553c15-6b12-4137-a318-7caf6a9eb44c:id=cinder:auth_supported=cephx\\;none:mon_host=172.24.0.56\\:6789", 'code': 500, 'created': '2019-07-25T07:27:21Z'}
I don't know if this is a setting or a bug. Better to report and close than not say anything I guess. |
It would appear Nova is revealing information that may be sensitive in error messages
http://lists.openstack.org/pipermail/openstack-infra/2019-July/006426.html
I attempted to hard-reboot it, and it went into an error state. The
initial error in the server status was
{'message': 'Timed out during operation: cannot acquire state change lock (held by monitor=remoteDispatchDomainCreateWithFlags)', 'code': 500, 'created': '2019-07-25T07:25:25Z'}
After a short period, I tried again and got a different error state
{'message': "internal error: process exited while connecting to monitor: lc=,keyid=masterKey0,iv=jHURYcYDkXqGBu4pC24bew==,format=base64 -drive 'file=rbd:volumes/volume-41553c15-6b12-4137-a318-7caf6a9eb44c:id=cinder:auth_supported=cephx\\;none:mon_host=172.24.0.56\\:6789", 'code': 500, 'created': '2019-07-25T07:27:21Z'}
I don't know if this is a setting or a bug. Better to report and close than not say anything I guess. |
|
2022-08-01 11:06:38 |
OpenStack Infra |
nova/pike: status |
Fix Committed |
Fix Released |
|