Bug 1768731 (CVE-2019-3866)

Summary: CVE-2019-3866 openstack-mistral: information disclosure in mistral log
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, dbecker, jjoyce, jschluet, lhh, lpeer, mburns, rhos-maint, sclewis, security-response-team, slinaber, slong, tomckay, tvignaud
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/PROJQUAY-145
Whiteboard:
Fixed In Version: mistral 7.1.0, mistral 8.1.0, mistral 9.0.1 Doc Type: If docs needed, set a value
Doc Text:
An information-exposure vulnerability was discovered where openstack-mistral's undercloud log files containing clear-text information were made world readable. A malicious system user could exploit this flaw to access sensitive user information.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-04 20:41:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1770039, 1770040, 1770041, 1770042, 1770043, 1770661, 1845935, 1847981    
Bug Blocks: 1768733    

Description Dhananjay Arunesh 2019-11-05 07:06:02 UTC 
A vulnerability was discovered that all the data from the TripleO heat stack (user provided and generated passwords, certificates, ssh keys) are available in the mistral logs on the undercloud, in clear text.
Comment 4 Summer Long 2019-11-07 23:59:06 UTC 
Created openstack-mistral-3 tracking bugs for this issue:

Affects: openstack-rdo [bug 1770043]
Comment 6 Summer Long 2019-11-11 00:26:26 UTC 
Upstream bug: https://bugs.launchpad.net/tripleo/+bug/1850843
Patch for Pike and newer: https://launchpadlibrarian.net/449472809/0001-Ensure-we-mask-sensitive-data-from-Mistral-Action-lo.patch
Comment 9 Summer Long 2019-11-12 22:27:32 UTC 
Acknowledgments:

Name: the OpenStack project
Upstream: Gauvain Pocentek and Clément Beaufils (Kindred Group PLC)
Comment 10 Summer Long 2019-11-19 04:26:25 UTC 
Patch for Ocata and older: https://launchpadlibrarian.net/449473654/0001-Ensure-we-mask-sensitive-data-from-Mistral-Action-lo.patch
Comment 14 Summer Long 2019-12-20 08:05:44 UTC 
Mitigation:

Plain text information can be masked by ensuring that all mistral log files are not world readable.
Comment 20 errata-xmlrpc 2021-02-04 16:14:12 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420
Comment 21 Product Security DevOps Team 2021-02-04 20:41:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3866
Comment 23 Summer Long 2021-02-16 05:08:53 UTC 
Statement:

In Red Hat OpenStack Platform 10/13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP10/13 openstack-mistral package.