Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20140930023940.33C5872E0FC@smtpvbsrv1.mitre.org>
Date: Mon, 29 Sep 2014 22:39:40 -0400 (EDT)
From: cve-assign@...re.org
To: tristan.cacqueray@...vance.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> A vulnerability was discovered in OpenStack (see below). In order to
> ensure full traceability, we need a CVE number assigned that we can
> attach to further notifications. This issue is already public, although
> an advisory was not sent yet.
> 
> Products: Cinder, Nova, Trove
> Versions: up to 2013.2.3, 2014.1 versions up to 2014.1.2
> 
> Amrith Kumar from Tesora reported two vulnerabilities in the
> processutils.execute() and strutils.mask_password() functions available
> from oslo-incubator that are copied into each project's code. An
> attacker with read access to the services' logs may obtain passwords
> used as a parameter of a command that have failed or when the
> mask_password did not mask passwords properly.
> 
> https://launchpad.net/bugs/1343604
> https://launchpad.net/bugs/1345233

There are (at least) two CVE IDs needed because of the different
vulnerability types. The older code in which processutils.execute was
simply logging cmd directly, without any masking step, can be
considered an instance of the
http://cwe.mitre.org/data/definitions/532.html issue. For this, use
CVE-2014-7230.

The older code with a short _FORMAT_PATTERNS list, with a later
replacement by longer _FORMAT_PATTERNS_1 and _FORMAT_PATTERNS_2 lists,
can be considered an instance of the
http://cwe.mitre.org/data/definitions/184.html issue. Bug #1343604
mentions 'mask_password did not, for example, catch the usage ...
/usr/sbin/mysqld --password=top-secret ... They did catch ...
/usr/sbin/mysqld --password="top-secret" ... make the strings in
strutils.mask_password more robust.' For this, use CVE-2014-7231.

The additional complication is that there were apparently already
releases with incomplete fixes for CVE-2014-7230. Separate CVE IDs are
needed when parts of the problem were fixed in different releases. For
example, Cinder 2013.2.4 contains a fix for the "Running cmd
(subprocess)" logging problem but apparently does not contain a fix
for the "Running cmd (SSH)" logging problem. The patch for the latter
is shown in the
https://git.openstack.org/cgit/openstack/trove/commit/?id=9672744f090d462cac5eb757ceaacd7122362708
commit. Is this a remaining vulnerability in Cinder 2013.2.4 and
possibly other products? If so, then we will assign another CVE ID.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUKhdhAAoJEKllVAevmvmsu4MIAKRxemkmF1byrCIXSNAR2Y7P
p7ERBGHORZVT8O9MnJWue19sSc1LiWkmUCBLXgKaApJe3USEqFJjTKpm8GW10zmr
hnOUBVnD8kOB4oqy8rAeEFp6+e+p5AVJY+xcJggVP5Q1KAT/it3AS3e7+YFqHVk/
0833Y1WWmME3KW+1QVPPV//bjLl0AqbYBH5n3HV1fFnn2eo/LEaMgLKAlcUFIq3A
onbuxpQ0lUIptpvQa7inSfi7D8kOgXjYsRrrwJKkM6nZAM2bt+68mxxiW7FUDUPp
q0iAAKMIPg+OgEi3t+8HJZIZR6oaGgVQ7Askc9kohA4e0Az6qB7TV3rKf2g/tfw=
=YprV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.