Exceptions thrown, and messages logged by execute() may include passwords (CVE-2014-7230)
Bug #1343604 reported by
Amrith Kumar
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Cinder |
Fix Released
|
Medium
|
Jay Bryant | ||
| Havana |
Fix Released
|
Medium
|
Tristan Cacqueray | ||
| Icehouse |
Fix Released
|
Medium
|
Ihar Hrachyshka | ||
| OpenStack Compute (nova) |
Fix Released
|
Medium
|
Unassigned | ||
| Havana |
Fix Released
|
Medium
|
Unassigned | ||
| Icehouse |
Fix Released
|
Medium
|
Tristan Cacqueray | ||
| OpenStack DBaaS (Trove) |
Fix Released
|
Medium
|
Tristan Cacqueray | ||
| Icehouse |
Fix Released
|
Undecided
|
Tristan Cacqueray | ||
| oslo-incubator |
Fix Released
|
Medium
|
Amrith Kumar | ||
Bug Description
Currently when execute() throws a ProcessExecutio
It would be prudent to mask the password in the exception as well so that upstream catchers don't have to go through the mask_password() motions.
The same also goes for stdout and stderr information which should be sanitized.
Related branches
lp:~corey.bryant/nova/2014.1.3-0ubuntu2
- Chuck Short: Pending requested
-
Diff: 22 lines (+12/-0)1 file modifieddebian/changelog (+12/-0)
CVE References
| Changed in oslo: | |
| assignee: | nobody → Amrith (amrith) |
| Changed in oslo: | |
| status: | New → Incomplete |
| status: | Incomplete → New |
| Changed in ossa: | |
| status: | New → Incomplete |
| Changed in oslo: | |
| status: | New → In Progress |
| Changed in ossa: | |
| importance: | Undecided → High |
| assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
| summary: |
- Exceptions thrown by execute() return a command that potentially + Exceptions thrown by execute() return information that potentially includes passwords |
| description: | updated |
| summary: |
- Exceptions thrown by execute() return information that potentially - includes passwords + Exceptions thrown, and messages logged by execute() may include + passwords |
| Changed in ossa: | |
| importance: | High → Medium |
| Changed in ossa: | |
| status: | Confirmed → Triaged |
| tags: | added: compute |
| no longer affects: | trove/icehouse |
| no longer affects: | trove/havana |
| Changed in trove: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| Changed in nova: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| Changed in oslo-incubator: | |
| status: | Fix Committed → Fix Released |
| milestone: | none → juno-3 |
| Changed in oslo-incubator: | |
| importance: | Undecided → Medium |
| Changed in cinder: | |
| importance: | Undecided → Medium |
| Changed in nova: | |
| assignee: | Davanum Srinivas (DIMS) (dims-v) → nobody |
| Changed in cinder: | |
| status: | In Progress → Fix Committed |
| Changed in nova: | |
| status: | In Progress → Fix Committed |
| Changed in cinder: | |
| milestone: | none → juno-rc1 |
| status: | Fix Committed → Fix Released |
| Changed in nova: | |
| milestone: | none → juno-rc1 |
| status: | Fix Committed → Fix Released |
| Changed in trove: | |
| milestone: | none → juno-rc1 |
| status: | Fix Committed → Fix Released |
| summary: |
Exceptions thrown, and messages logged by execute() may include - passwords + passwords (CVE-2014-7230) |
| Changed in nova: | |
| milestone: | juno-rc1 → 2014.2 |
| Changed in cinder: | |
| milestone: | juno-rc1 → 2014.2 |
| Changed in trove: | |
| milestone: | juno-rc1 → 2014.2 |
To post a comment you must log in.

Thanks for your bug report. It does look like this could lead to information leakage in the exception handler cases where attempts > 0 and possibly when the exception is propagated up (when attempts == 0).
I'm marking the OSSA bug task as incomplete until discussed with other VMT members as to whether we will issue an advisory for this problem.