OpenStack DBaaS (Trove)

  1. Series icehouse
  2. Bug #1343604
  3. Comment #51

Comment 51 for bug 1343604

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Exceptions thrown, and messages logged by execute() may include passwords

@ttx Thanks for the review!
Note about the versions: affected products have been fixed in time for 2013.2.4 (except Trove that is not part of Havana).
Here is the updated impact description.

Title: Potential leak of passwords into log files
Reporter: Amrith Kumar (Tesora)
Products: Cinder, Nova, Trove
Versions: up to 2013.2.3, 2014.1 versions up to 2014.1.2

Description:
Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that have failed or when the mask_password did not mask passwords properly.