Bug 1850156 (CVE-2017-8761)

Summary: CVE-2017-8761 openstack-swift: logs valid temporary urls which could result in access to data by anyone with access to the logfiles
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, chazlett, derekh, drieden, ggaughan, gmalinko, hvyas, janstey, jjoyce, jochrist, jschluet, jwon, kbasil, lhh, lpeer, mburns, ntait, sclewis, slinaber, srevivo, swiftbugzilla, tshefi, zaitcev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openstack-swift, where the proxy server logs valid temporary URLs, that might be used to gain access to data by anyone with access to the logfiles. This is especially important with tempurls that are valid for extended periods or when using central logging servers, accessed by operators that have no access to the Swift servers. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 18:10:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1860528, 1860529, 1860530, 1860531, 1860532, 1860533, 1860534    
Bug Blocks: 1850159    

Description Michael Kaplan 2020-06-23 15:38:30 UTC 
The proxy server will log valid temporary urls, that might be used to gain access to data by anyone with access to the logfiles. This is especially important with tempurls that are valid for extended
periods and/or when using central logging servers, accessed by operators that have no access to the Swift servers.

References:

https://bugs.launchpad.net/swift/+bug/1685798
Comment 1 Hardik Vyas 2020-06-24 15:32:21 UTC 
Statement:

Openstack Swift is no longer supported with the recent release of Red Hat Gluster Storage 3.5, hence openstack-swift will not be updated for this flaw.
Comment 2 Kunjan Rathod 2020-06-25 00:40:10 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 3 Nick Tait 2020-07-24 22:33:55 UTC 
Created openstack-swift tracking bugs for this issue:

Affects: openstack-rdo [bug 1860528]
Comment 6 Nick Tait 2020-07-30 16:32:05 UTC 
External References:

https://bugs.launchpad.net/swift/+bug/1685798