Exceptions thrown, and messages logged by execute() may include passwords (CVE-2014-7230)
Bug #1343604 reported by
Amrith Kumar
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Medium
|
Jay Bryant | ||
Havana |
Fix Released
|
Medium
|
Tristan Cacqueray | ||
Icehouse |
Fix Released
|
Medium
|
Ihar Hrachyshka | ||
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Unassigned | ||
Havana |
Fix Released
|
Medium
|
Unassigned | ||
Icehouse |
Fix Released
|
Medium
|
Tristan Cacqueray | ||
OpenStack DBaaS (Trove) |
Fix Released
|
Medium
|
Tristan Cacqueray | ||
Icehouse |
Fix Released
|
Undecided
|
Tristan Cacqueray | ||
oslo-incubator |
Fix Released
|
Medium
|
Amrith Kumar |
Bug Description
Currently when execute() throws a ProcessExecutio
It would be prudent to mask the password in the exception as well so that upstream catchers don't have to go through the mask_password() motions.
The same also goes for stdout and stderr information which should be sanitized.
Related branches
lp:~corey.bryant/nova/2014.1.3-0ubuntu2
- Chuck Short: Pending requested
-
Diff: 22 lines (+12/-0)1 file modifieddebian/changelog (+12/-0)
CVE References
Changed in oslo: | |
assignee: | nobody → Amrith (amrith) |
Changed in oslo: | |
status: | New → Incomplete |
status: | Incomplete → New |
Changed in ossa: | |
status: | New → Incomplete |
Changed in oslo: | |
status: | New → In Progress |
Changed in ossa: | |
importance: | Undecided → High |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
summary: |
- Exceptions thrown by execute() return a command that potentially + Exceptions thrown by execute() return information that potentially includes passwords |
description: | updated |
summary: |
- Exceptions thrown by execute() return information that potentially - includes passwords + Exceptions thrown, and messages logged by execute() may include + passwords |
Changed in ossa: | |
importance: | High → Medium |
Changed in ossa: | |
status: | Confirmed → Triaged |
tags: | added: compute |
no longer affects: | trove/icehouse |
no longer affects: | trove/havana |
Changed in trove: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in nova: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in oslo-incubator: | |
status: | Fix Committed → Fix Released |
milestone: | none → juno-3 |
Changed in oslo-incubator: | |
importance: | Undecided → Medium |
Changed in cinder: | |
importance: | Undecided → Medium |
Changed in nova: | |
assignee: | Davanum Srinivas (DIMS) (dims-v) → nobody |
Changed in cinder: | |
status: | In Progress → Fix Committed |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in cinder: | |
milestone: | none → juno-rc1 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | none → juno-rc1 |
status: | Fix Committed → Fix Released |
Changed in trove: | |
milestone: | none → juno-rc1 |
status: | Fix Committed → Fix Released |
summary: |
Exceptions thrown, and messages logged by execute() may include - passwords + passwords (CVE-2014-7230) |
Changed in nova: | |
milestone: | juno-rc1 → 2014.2 |
Changed in cinder: | |
milestone: | juno-rc1 → 2014.2 |
Changed in trove: | |
milestone: | juno-rc1 → 2014.2 |
To post a comment you must log in.
Thanks for your bug report. It does look like this could lead to information leakage in the exception handler cases where attempts > 0 and possibly when the exception is propagated up (when attempts == 0).
I'm marking the OSSA bug task as incomplete until discussed with other VMT members as to whether we will issue an advisory for this problem.