Bug 1147722 (CVE-2014-7230, CVE-2014-7231)

Summary: CVE-2014-7230 CVE-2014-7231 OpenStack Cinder, Nova, Trove: potential leak of passwords into log files
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abaron, akscram, alexander.sakhnov, aortega, apevec, apevec, ayoung, berrange, bfilippov, chrisw, dallan, dasmith, davidx, eharney, gkotton, gmollett, itamar, jonathansteffan, jose.castro.leon, jrusnack, karlthered, lhh, lpeer, markmc, mlvov, mmagr, ndipanov, pbrady, p, rbryant, rk, sbauza, sclewis, sferdjao, sgordon, sgotliv, vdanen, vladanovic, vromanso, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-02 17:44:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1147724, 1147725, 1147726, 1149984, 1149985, 1150810, 1150811, 1150883, 1150884, 1150885, 1150886, 1150887, 1150888    
Bug Blocks: 1147727, 1150352    

Description Murray McAllister 2014-09-30 00:30:07 UTC 
The OpenStack project reports:

""
Reporter: Amrith Kumar (Tesora)
Products: Cinder, Nova, Trove
Versions: up to 2013.2.3, 2014.1 versions up to 2014.1.2

Description:
Amrith Kumar from Tesora reported two vulnerabilities in the
processutils.execute() and strutils.mask_password() functions available
from oslo-incubator that are copied into each project's code. An
attacker with read access to the services' logs may obtain passwords
used as a parameter of a command that have failed or when the
mask_password did not mask passwords properly.
""

CVE request:
http://seclists.org/oss-sec/2014/q3/846

References:
https://launchpad.net/bugs/1343604
https://launchpad.net/bugs/1345233
Comment 5 Murray McAllister 2014-09-30 05:37:49 UTC 
MITRE assigned CVE-2014-7230 and CVE-2014-7231. Quoting http://seclists.org/oss-sec/2014/q3/853

""
There are (at least) two CVE IDs needed because of the different
vulnerability types. The older code in which processutils.execute was
simply logging cmd directly, without any masking step, can be
considered an instance of the
http://cwe.mitre.org/data/definitions/532.html issue. For this, use
CVE-2014-7230.

The older code with a short _FORMAT_PATTERNS list, with a later
replacement by longer _FORMAT_PATTERNS_1 and _FORMAT_PATTERNS_2 lists,
can be considered an instance of the
http://cwe.mitre.org/data/definitions/184.html issue. Bug #1343604
mentions 'mask_password did not, for example, catch the usage ...
/usr/sbin/mysqld --password=top-secret ... They did catch ...
/usr/sbin/mysqld --password="top-secret" ... make the strings in
strutils.mask_password more robust.' For this, use CVE-2014-7231.
""
Comment 8 Murray McAllister 2014-10-09 02:26:35 UTC 
Created openstack-nova tracking bugs for this issue:

Affects: fedora-all [bug 1150811]
Comment 9 Murray McAllister 2014-10-09 02:26:40 UTC 
Created openstack-cinder tracking bugs for this issue:

Affects: fedora-all [bug 1150810]
Comment 16 Garth Mollett 2014-10-20 06:08:08 UTC 
From upstream:

"
Notes:
The former patch did not cover the ssh_execute method used in Nova and
Cinder, thus two more patches are required for these projects.
Nova and Cinder fixes are included in the 2014.2rc2 release candidate
and will appear in a future 2014.1.4 release.
Trove fix was included in the 2014.2rc1 release candidate and 2014.1.3
release.
"
Comment 17 Garth Mollett 2014-10-20 06:15:11 UTC 
https://bugs.launchpad.net/ossa/+bug/1377981
Comment 18 Garth Mollett 2014-11-13 00:39:49 UTC 
Going by the assignment from MITRE, the ssh_execute case is not covered by these 2 CVE assignments. The ssh_execute case should be considered a separate bug and is currently considered a hardening fix and has no CVE assignment.
Comment 19 Garth Mollett 2014-11-13 01:01:36 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2014:1788 https://rhn.redhat.com/errata/RHSA-2014-1788.html
Comment 20 Garth Mollett 2014-11-13 01:01:59 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2014:1787 https://rhn.redhat.com/errata/RHSA-2014-1787.html
Comment 21 Garth Mollett 2014-11-13 01:02:33 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2014:1782 https://rhn.redhat.com/errata/RHSA-2014-1782.html
Comment 22 Garth Mollett 2014-11-13 01:02:54 UTC 
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:1689 https://rhn.redhat.com/errata/RHSA-2014-1689.html
Comment 23 errata-xmlrpc 2014-12-02 17:03:01 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2014:1939 https://rhn.redhat.com/errata/RHSA-2014-1939.html