Bug 1033715 (CVE-2013-6384)

Summary: CVE-2013-6384 OpenStack: Ceilometer DB2/MongoDB backend password leak
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, jruzicka, lhh, markmc, pbrady, rbryant, rhos-maint, sclewis, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-10 05:34:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1033719, 1033720, 1033721    
Bug Blocks: 1033718    

Description Kurt Seifried 2013-11-22 17:01:21 UTC 
Thierry Carrez of the OpenStack project reports:

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.

"""
Title: Ceilometer DB2/MongoDB backend password leak
Reporter: Eric Brown (IBM)
Products: Ceilometer
Affects: All supported versions

Description:
Eric Brown from IBM reported an information leak in Ceilometer logs. The
password for the DB2 or MongoDB backends was logged at INFO level in the
ceilometer-api logs. An attacker with access to the logs (local shell,
log aggregation system access, or accidental leak) may leverage this
vulnerability to elevate privileges and gain direct full access to the
Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB
backends are affected.
"""

External References:
https://bugs.launchpad.net/ceilometer/+bug/1244476
Comment 2 Vincent Danen 2013-11-22 18:03:32 UTC 
Icehouse (development branch) fix:
https://review.openstack.org/#/c/54553/

Havana fix:
https://review.openstack.org/#/c/56396/