Bug 1033715 – CVE-2013-6384 OpenStack: Ceilometer DB2/MongoDB backend password leak

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1033715 - (CVE-2013-6384) CVE-2013-6384 OpenStack: Ceilometer DB2/MongoDB backend password leak

Summary:	CVE-2013-6384 OpenStack: Ceilometer DB2/MongoDB backend password leak

Status:	CLOSED CURRENTRELEASE

Aliases:	CVE-2013-6384

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20131122,reported=2...
Keywords:	Security

Depends On:	1033719 1033720 1033721
Blocks:	1033718
	Show dependency tree / graph

Reported:	2013-11-22 12:01 EST by Kurt Seifried
Modified:	2016-04-26 22:58 EDT (History)
CC List:	16 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-03-10 01:34:06 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Kurt Seifried 2013-11-22 12:01:21 EST

Thierry Carrez of the OpenStack project reports:

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.

"""
Title: Ceilometer DB2/MongoDB backend password leak
Reporter: Eric Brown (IBM)
Products: Ceilometer
Affects: All supported versions

Description:
Eric Brown from IBM reported an information leak in Ceilometer logs. The
password for the DB2 or MongoDB backends was logged at INFO level in the
ceilometer-api logs. An attacker with access to the logs (local shell,
log aggregation system access, or accidental leak) may leverage this
vulnerability to elevate privileges and gain direct full access to the
Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB
backends are affected.
"""

External References:
https://bugs.launchpad.net/ceilometer/+bug/1244476

Comment 2 Vincent Danen 2013-11-22 13:03:32 EST

Icehouse (development branch) fix:
https://review.openstack.org/#/c/54553/

Havana fix:
https://review.openstack.org/#/c/56396/

Note You need to log in before you can comment on or make changes to this bug.