Bug 1735522 (CVE-2019-14433) - CVE-2019-14433 openstack-nova: Nova server resource faults leak external exception details
Summary: CVE-2019-14433 openstack-nova: Nova server resource faults leak external exce...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14433
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1735543 1735544 1735545 1735546 1738351
Blocks: 1735523
TreeView+ depends on / blocked
 
Reported: 2019-08-01 03:36 UTC by Dhananjay Arunesh
Modified: 2021-02-16 21:35 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Nova Compute resource fault handling. The Nova Compute service might leak configuration information or other sensitive information because of a failed API request. To trigger this vulnerability, the API request needs to fail due to an external exception. The ability of an attacker to trigger an external exception in another component will determine the success of this attack.
Clone Of:
Environment:
Last Closed: 2019-09-04 13:07:35 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2622 0 None None None 2019-09-03 16:53:36 UTC
Red Hat Product Errata RHSA-2019:2631 0 None None None 2019-09-03 16:36:33 UTC
Red Hat Product Errata RHSA-2019:2652 0 None None None 2019-09-04 08:22:49 UTC

Description Dhananjay Arunesh 2019-08-01 03:36:05 UTC
A vulnerability was found in Nova Compute resource fault handling. If an API request from an authenticateduser ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response and could include sensitive configuration or other data.

Comment 6 Joshua Padman 2019-08-01 05:06:55 UTC
Upstream bug: https://bugs.launchpad.net/nova/+bug/1837877

Comment 7 Joshua Padman 2019-08-01 05:11:01 UTC
Acknowledgments:

Name: The OpenStack project

Comment 9 Joshua Padman 2019-08-06 22:19:51 UTC
External References:

https://security.openstack.org/ossa/OSSA-2019-003.html

Comment 11 Joshua Padman 2019-08-06 22:21:46 UTC
Created openstack-nova tracking bugs for this issue:

Affects: openstack-rdo [bug 1738351]

Comment 12 Summer Long 2019-08-12 02:28:10 UTC
Statement:

Red Hat OpenStack Platform 9 will be retired shortly after the flaw's public date; based on the severity of this vulnerability, it was determined that this fix would not be back ported.

Comment 13 errata-xmlrpc 2019-09-03 16:36:32 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:2631 https://access.redhat.com/errata/RHSA-2019:2631

Comment 14 errata-xmlrpc 2019-09-03 16:53:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:2622 https://access.redhat.com/errata/RHSA-2019:2622

Comment 15 errata-xmlrpc 2019-09-04 08:22:48 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:2652 https://access.redhat.com/errata/RHSA-2019:2652

Comment 16 Product Security DevOps Team 2019-09-04 13:07:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14433


Note You need to log in before you can comment on or make changes to this bug.