Bug 1420990 (CVE-2017-2621)

Summary: CVE-2017-2621 openstack-heat: /var/log/heat/ is world readable
Product: [Other] Security Response Reporter: Summer Long <slong>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, augol, ayoung, chrisw, cvsbot-xmlrpc, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mburns, rbryant, rhel-osp-director-maint, sbaker, sclewis, security-response-team, shardy, srevivo, tdecacqu, zbitter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An access-control flaw was found in the OpenStack Orchestration (heat) service where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-14 23:13:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1420997, 1420998, 1420999, 1422265    
Bug Blocks: 1418888    

Description Summer Long 2017-02-10 04:46:10 UTC 
The directory /var/log/heat is world readable and contains log files that are readable, which can result in the exposure of sensitive information. The 'other readable/execute' bits need to be removed from the /var/log/heat directory:

[stack@instack ~]$ ls -la /var/log/heat
total 39376
drwxr-xr-x.  2 heat root     4096 Feb  9 01:07 .
drwxr-xr-x. 31 root root     4096 Feb  9 01:02 ..
-rw-r--r--.  1 heat heat   201578 Feb  9 20:09 heat-api-cfn.log
-rw-r--r--.  1 heat heat  4899693 Feb  9 20:09 heat-api.log
-rw-r--r--.  1 heat heat 35193112 Feb  9 23:40 heat-engine.log
Comment 1 Summer Long 2017-02-10 05:07:35 UTC 
Acknowledgments:

Name: Hans Feldt (Ericsson)
Comment 3 Summer Long 2017-02-14 22:23:48 UTC 
Created openstack-heat tracking bugs for this issue:

Affects: openstack-rdo [bug 1422265]
Comment 9 errata-xmlrpc 2017-05-17 12:19:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:1243 https://access.redhat.com/errata/RHSA-2017:1243
Comment 10 errata-xmlrpc 2017-06-14 15:37:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2017:1464 https://access.redhat.com/errata/RHSA-2017:1464