Bug 1218640 (CVE-2015-3646)

Summary: CVE-2015-3646 openstack-keystone: cache backend password leak in log (OSSA 2015-008)
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, apevec, ayoung, bfilippov, chrisw, dallan, gkotton, gmollett, itamar, jlennox, jonathansteffan, jose.castro.leon, lhh, lpeer, markmc, nkinder, p, rbryant, sclewis, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-28 06:29:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1218642, 1218644, 1246362    
Bug Blocks: 1218647    

Description Martin Prpič 2015-05-05 13:20:36 UTC 
The following flaw was found in Keystone:

Eric Brown from VMware reported a vulnerability in Keystone. The backend_argument configuration option content is being logged, and it may contain sensitive information for specific backends (like a password for MongoDB). An attacker with read access to Keystone logs may therefore obtain sensitive data about certain backends. All Keystone setups are potentially impacted.

Upstream patches:

https://review.openstack.org/175519 (Icehouse)
https://review.openstack.org/173116 (Juno)

Upstream bug:

https://launchpad.net/bugs/1443598

Upstream advisory:

http://www.openwall.com/lists/oss-security/2015/05/05/11
Comment 1 Martin Prpič 2015-05-05 13:23:31 UTC 
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1218642]
Affects: openstack-rdo [bug 1218644]
Comment 3 Garth Mollett 2015-07-28 06:28:49 UTC 
Statement:

While this issue does occur in openstack-keystone packages as shipped in Red Hat Enterprise Linux OpenStack Platform versions 5 and 6 it is not believed to be exploitable as access to the keystone logs is restricted with file-system permissions.