Red Hat Bugzilla – Bug 1296837
CVE-2015-8749 openstack-nova: Xen connection password leak in logs via StorageError
Last modified: 2016-04-26 11:48:28 EDT
Title: Xen connection password leak in logs via StorageError
Reporter: Matt Riedemann (IBM)
Affects: >= 2014.2 <= 2015.1.2, ==12.0.0
Matt Riedemann from IBM reported an information disclosure vulnerability
in Nova. If a StorageError occurs when attempting to connect a volume
using the Xen API, the connection parameters will be logged. These
parameters may include credentials that are not masked. An attacker
with read access to Nova logs could use these credentials with the
Xen API directly. Only Nova deployments using the Xen backend are
affected by this flaw.
Created openstack-nova tracking bugs for this issue:
Affects: fedora-all [bug 1296839]
Red Hat Enterprise Linux OpenStack Platform does not support the Xen hypervisor, and is therefore not affected by this flaw in any supported configuration.