Bug 1033715 (CVE-2013-6384) - CVE-2013-6384 OpenStack: Ceilometer DB2/MongoDB backend password leak
Summary: CVE-2013-6384 OpenStack: Ceilometer DB2/MongoDB backend password leak
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2013-6384
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1033719 1033720 1033721
Blocks: 1033718
TreeView+ depends on / blocked
 
Reported: 2013-11-22 17:01 UTC by Kurt Seifried
Modified: 2019-09-29 13:10 UTC (History)
16 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-03-10 05:34:06 UTC
Embargoed:

Attachments (Terms of Use)

Description Kurt Seifried 2013-11-22 17:01:21 UTC 
Thierry Carrez of the OpenStack project reports:

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.

"""
Title: Ceilometer DB2/MongoDB backend password leak
Reporter: Eric Brown (IBM)
Products: Ceilometer
Affects: All supported versions

Description:
Eric Brown from IBM reported an information leak in Ceilometer logs. The
password for the DB2 or MongoDB backends was logged at INFO level in the
ceilometer-api logs. An attacker with access to the logs (local shell,
log aggregation system access, or accidental leak) may leverage this
vulnerability to elevate privileges and gain direct full access to the
Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB
backends are affected.
"""

External References:
https://bugs.launchpad.net/ceilometer/+bug/1244476
Comment 2 Vincent Danen 2013-11-22 18:03:32 UTC 
Icehouse (development branch) fix:
https://review.openstack.org/#/c/54553/

Havana fix:
https://review.openstack.org/#/c/56396/
Note You need to log in before you can comment on or make changes to this bug.