Comment 6 for bug 1244476
Revision history for this message
| Thierry Carrez (ttx) wrote Re: Ceilometer log contains DB password in plain text | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Proposed impact description, please check that it's accurately describing the issue:
-------
Title: Ceilometer DB2/MongoDB backend password leak
Reporter: Eric Brown (IBM)
Products: Ceilometer
Affects: All supported versions
Description:
Eric Brown from IBM reported an information leak in Ceilometer logs. The password for the DB2 or MongoDB backends was logged at INFO level in the ceilometer-api logs. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB backends are affected.