The following flaw was found in Keystone: Eric Brown from VMware reported a vulnerability in Keystone. The backend_argument configuration option content is being logged, and it may contain sensitive information for specific backends (like a password for MongoDB). An attacker with read access to Keystone logs may therefore obtain sensitive data about certain backends. All Keystone setups are potentially impacted. Upstream patches: https://review.openstack.org/175519 (Icehouse) https://review.openstack.org/173116 (Juno) Upstream bug: https://launchpad.net/bugs/1443598 Upstream advisory: http://www.openwall.com/lists/oss-security/2015/05/05/11
Created openstack-keystone tracking bugs for this issue: Affects: fedora-all [bug 1218642] Affects: openstack-rdo [bug 1218644]
Statement: While this issue does occur in openstack-keystone packages as shipped in Red Hat Enterprise Linux OpenStack Platform versions 5 and 6 it is not believed to be exploitable as access to the keystone logs is restricted with file-system permissions.