Bug 1147722 (CVE-2014-7230, CVE-2014-7231)
Summary: | CVE-2014-7230 CVE-2014-7231 OpenStack Cinder, Nova, Trove: potential leak of passwords into log files | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | abaron, akscram, alexander.sakhnov, aortega, apevec, apevec, ayoung, berrange, bfilippov, chrisw, dallan, dasmith, davidx, eharney, gkotton, gmollett, itamar, jonathansteffan, jose.castro.leon, jrusnack, karlthered, lhh, lpeer, markmc, mlvov, mmagr, ndipanov, pbrady, p, rbryant, rk, sbauza, sclewis, sferdjao, sgordon, sgotliv, vdanen, vladanovic, vromanso, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-12-02 17:44:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1147724, 1147725, 1147726, 1149984, 1149985, 1150810, 1150811, 1150883, 1150884, 1150885, 1150886, 1150887, 1150888 | ||
Bug Blocks: | 1147727, 1150352 |
Description
Murray McAllister
2014-09-30 00:30:07 UTC
MITRE assigned CVE-2014-7230 and CVE-2014-7231. Quoting http://seclists.org/oss-sec/2014/q3/853 "" There are (at least) two CVE IDs needed because of the different vulnerability types. The older code in which processutils.execute was simply logging cmd directly, without any masking step, can be considered an instance of the http://cwe.mitre.org/data/definitions/532.html issue. For this, use CVE-2014-7230. The older code with a short _FORMAT_PATTERNS list, with a later replacement by longer _FORMAT_PATTERNS_1 and _FORMAT_PATTERNS_2 lists, can be considered an instance of the http://cwe.mitre.org/data/definitions/184.html issue. Bug #1343604 mentions 'mask_password did not, for example, catch the usage ... /usr/sbin/mysqld --password=top-secret ... They did catch ... /usr/sbin/mysqld --password="top-secret" ... make the strings in strutils.mask_password more robust.' For this, use CVE-2014-7231. "" Created openstack-nova tracking bugs for this issue: Affects: fedora-all [bug 1150811] Created openstack-cinder tracking bugs for this issue: Affects: fedora-all [bug 1150810] From upstream: " Notes: The former patch did not cover the ssh_execute method used in Nova and Cinder, thus two more patches are required for these projects. Nova and Cinder fixes are included in the 2014.2rc2 release candidate and will appear in a future 2014.1.4 release. Trove fix was included in the 2014.2rc1 release candidate and 2014.1.3 release. " Going by the assignment from MITRE, the ssh_execute case is not covered by these 2 CVE assignments. The ssh_execute case should be considered a separate bug and is currently considered a hardening fix and has no CVE assignment. This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1788 https://rhn.redhat.com/errata/RHSA-2014-1788.html This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1787 https://rhn.redhat.com/errata/RHSA-2014-1787.html This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1782 https://rhn.redhat.com/errata/RHSA-2014-1782.html This issue has been addressed in the following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1689 https://rhn.redhat.com/errata/RHSA-2014-1689.html This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1939 https://rhn.redhat.com/errata/RHSA-2014-1939.html |