Bug 2181621 (CVE-2023-1625)

Summary:	CVE-2023-1625 openstack-heat: information leak in API
Product:	[Other] Security Response	Reporter:	Nick Tait <ntait>
Component:	vulnerability	Assignee:	Nobody <nobody>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	eglynn, jjoyce, lhh, mburns, mgarciac, rhos-maint, spower
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	openstack-heat 22.0.0.0rc1	Doc Type:	If docs needed, set a value
Doc Text:	An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2181623, 2181642, 2181643, 2181644
Bug Blocks:	2170315

Description Nick Tait 2023-03-24 19:33:35 UTC

An information leak was discovered in openstack heat.
https://review.opendev.org/c/openstack/heat/+/868166
https://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb

The get stack environment API doesn't mask hidden parameter values. A malicious system user can get sensitive data by this API even though
encrypt_parameters_and_properties option is set to true. All VMs deployed by this heat template may be compromised.

Comment 1 Nick Tait 2023-03-24 19:33:49 UTC

Created openstack-heat tracking bugs for this issue:

Affects: openstack-rdo [bug 2181623]