Bug 1735522 (CVE-2019-14433) - CVE-2019-14433 openstack-nova: Nova server resource faults leak external exception details
Summary: CVE-2019-14433 openstack-nova: Nova server resource faults leak external exce...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14433
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1735543 1735544 1735545 1735546 1738351
Blocks: 1735523
TreeView+ depends on / blocked
 
Reported: 2019-08-01 03:36 UTC by Dhananjay Arunesh
Modified: 2021-02-16 21:35 UTC (History)
18 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-09-04 13:07:35 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2622 0 None None None 2019-09-03 16:53:36 UTC
Red Hat Product Errata RHSA-2019:2631 0 None None None 2019-09-03 16:36:33 UTC
Red Hat Product Errata RHSA-2019:2652 0 None None None 2019-09-04 08:22:49 UTC

Description Dhananjay Arunesh 2019-08-01 03:36:05 UTC 
A vulnerability was found in Nova Compute resource fault handling. If an API request from an authenticateduser ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response and could include sensitive configuration or other data.
Comment 6 Joshua Padman 2019-08-01 05:06:55 UTC 
Upstream bug: https://bugs.launchpad.net/nova/+bug/1837877
Comment 7 Joshua Padman 2019-08-01 05:11:01 UTC 
Acknowledgments:

Name: The OpenStack project
Comment 9 Joshua Padman 2019-08-06 22:19:51 UTC 
External References:

https://security.openstack.org/ossa/OSSA-2019-003.html
Comment 11 Joshua Padman 2019-08-06 22:21:46 UTC 
Created openstack-nova tracking bugs for this issue:

Affects: openstack-rdo [bug 1738351]
Comment 12 Summer Long 2019-08-12 02:28:10 UTC 
Statement:

Red Hat OpenStack Platform 9 will be retired shortly after the flaw's public date; based on the severity of this vulnerability, it was determined that this fix would not be back ported.
Comment 13 errata-xmlrpc 2019-09-03 16:36:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:2631 https://access.redhat.com/errata/RHSA-2019:2631
Comment 14 errata-xmlrpc 2019-09-03 16:53:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:2622 https://access.redhat.com/errata/RHSA-2019:2622
Comment 15 errata-xmlrpc 2019-09-04 08:22:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:2652 https://access.redhat.com/errata/RHSA-2019:2652
Comment 16 Product Security DevOps Team 2019-09-04 13:07:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14433
Note You need to log in before you can comment on or make changes to this bug.