Bug 957033 (CVE-2013-2013)

Summary: CVE-2013-2013 OpenStack keystone: password disclosure on command line
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abaron, aortega, apevec, apevec, ayoung, bfilippov, breu, chrisw, cpelland, dallan, d.busby, gmollett, Jan.van.Eldik, jkt, jonathansteffan, jose.castro.leon, jruzicka, markmc, p, rbryant, rhos-maint, sclewis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120222,reported=20130426,source=upstream,cvss2=2.1/AV:L/AC:L/Au:N/C:P/I:N/A:N,fedora-all/openstack-keystone=affected,epel-6/openstack-keystone=affected,openstack-1/openstack-keystone=wontfix,openstack-2.1/openstack-keystone=affected,fedora-all/python-keystoneclient=affected,fedora-rawhide/python-keystoneclient=affected,epel-6/python-keystoneclient=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-06 19:32:12 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 957034, 957035, 957036, 971746, 971837    
Bug Blocks: 957037    

Description Kurt Seifried 2013-04-26 04:29:59 EDT
Jake Dahn reports:

Updating password via CLI should be done via a secure password prompt, not text.

current: keystone user-password-update --user=jake --password=foo

expected: keystone user-password-update --user=jake
                        Repeat Password:

OpenStack keystone places a username and password on the command line,
which allows local users to obtain credentials by listing the process.
Comment 1 Kurt Seifried 2013-04-26 04:33:36 EDT
Created openstack-keystone tracking bugs for this issue

Affects: fedora-all [bug 957034]
Comment 2 Kurt Seifried 2013-04-26 04:34:34 EDT
Created openstack-keystone tracking bugs for this issue

Affects: epel-6 [bug 957035]
Comment 5 Kurt Seifried 2013-05-22 19:38:58 EDT
Jeremy Stanley (jeremy@openstack.org) reports:

Title: Keystone client local information disclosure
Reporter: Jake Dahn (Nebula)
Products: python-keystoneclient
Affects: All versions

Jake Dahn from Nebula reported a vulnerability that the keystone
client only allows passwords to be updated in a clear text
command-line argument, which may enable other local users to obtain
sensitive information by listing the process and potentially leaves
a record of the password within the shell command history.


External references:
Comment 6 Jan Lieskovsky 2013-06-07 07:40:17 EDT
Created python-keystoneclient tracking bugs for this issue

Affects: fedora-rawhide [bug 971837]
Comment 7 Alan Pevec 2013-06-28 15:16:48 EDT
Fixed in python-keystoneclient 0.2.4

Comment 8 Fedora Update System 2013-08-19 14:07:38 EDT
python-keystoneclient-0.2.0-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-08-20 20:08:58 EDT
python-keystoneclient-0.2.0-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Garth Mollett 2014-03-06 19:32:12 EST

The Red Hat Security Response Team has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.