|
Message-ID: <20170323144253.GF12842@openstack.org>
Date: Thu, 23 Mar 2017 14:42:53 +0000
From: Jeremy Stanley <jeremy@...nstack.org>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2017-002] Nova logs sensitive context from notification
exceptions (CVE-2017-7214)
=======================================================================
OSSA-2017-002: Nova logs sensitive context from notification exceptions
=======================================================================
:Date: March 23, 2017
:CVE: CVE-2017-7214
Affects
~~~~~~~
- Nova: >=13.0.0 <=13.1.3, >=14.0.0 <=14.0.4, >=15.0.0 <=15.0.1
Description
~~~~~~~~~~~
Matt Riedemann with Huawei reported a vulnerability in Nova. Legacy
notification exception contexts appearing in ERROR level logs may
include sensitive information such as account passwords and
authorization tokens. All Nova setups are affected.
Patches
~~~~~~~
- https://review.openstack.org/447075 (Mitaka)
- https://review.openstack.org/447072 (Newton)
- https://review.openstack.org/447071 (Ocata)
- https://review.openstack.org/446948 (Pike)
Credits
~~~~~~~
- Matt Riedemann from Huawei (CVE-2017-7214)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1673569
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7214
--
Jeremy Stanley
OpenStack Vulnerability Management Team
Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.