Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Sep 2014 22:39:40 -0400 (EDT)
Subject: Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove

Hash: SHA1

> A vulnerability was discovered in OpenStack (see below). In order to
> ensure full traceability, we need a CVE number assigned that we can
> attach to further notifications. This issue is already public, although
> an advisory was not sent yet.
> Products: Cinder, Nova, Trove
> Versions: up to 2013.2.3, 2014.1 versions up to 2014.1.2
> Amrith Kumar from Tesora reported two vulnerabilities in the
> processutils.execute() and strutils.mask_password() functions available
> from oslo-incubator that are copied into each project's code. An
> attacker with read access to the services' logs may obtain passwords
> used as a parameter of a command that have failed or when the
> mask_password did not mask passwords properly.

There are (at least) two CVE IDs needed because of the different
vulnerability types. The older code in which processutils.execute was
simply logging cmd directly, without any masking step, can be
considered an instance of the issue. For this, use

The older code with a short _FORMAT_PATTERNS list, with a later
replacement by longer _FORMAT_PATTERNS_1 and _FORMAT_PATTERNS_2 lists,
can be considered an instance of the issue. Bug #1343604
mentions 'mask_password did not, for example, catch the usage ...
/usr/sbin/mysqld --password=top-secret ... They did catch ...
/usr/sbin/mysqld --password="top-secret" ... make the strings in
strutils.mask_password more robust.' For this, use CVE-2014-7231.

The additional complication is that there were apparently already
releases with incomplete fixes for CVE-2014-7230. Separate CVE IDs are
needed when parts of the problem were fixed in different releases. For
example, Cinder 2013.2.4 contains a fix for the "Running cmd
(subprocess)" logging problem but apparently does not contain a fix
for the "Running cmd (SSH)" logging problem. The patch for the latter
is shown in the
commit. Is this a remaining vulnerability in Cinder 2013.2.4 and
possibly other products? If so, then we will assign another CVE ID.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.