A vulnerability was discovered that all the data from the TripleO heat stack (user provided and generated passwords, certificates, ssh keys) are available in the mistral logs on the undercloud, in clear text.
Created openstack-mistral-3 tracking bugs for this issue: Affects: openstack-rdo [bug 1770043]
Upstream bug: https://bugs.launchpad.net/tripleo/+bug/1850843 Patch for Pike and newer: https://launchpadlibrarian.net/449472809/0001-Ensure-we-mask-sensitive-data-from-Mistral-Action-lo.patch
Acknowledgments: Name: the OpenStack project Upstream: Gauvain Pocentek and Clément Beaufils (Kindred Group PLC)
Patch for Ocata and older: https://launchpadlibrarian.net/449473654/0001-Ensure-we-mask-sensitive-data-from-Mistral-Action-lo.patch
Mitigation: Plain text information can be masked by ensuring that all mistral log files are not world readable.
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3866
Statement: In Red Hat OpenStack Platform 10/13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP10/13 openstack-mistral package.