1850156 – (CVE-2017-8761) CVE-2017-8761 openstack-swift: logs valid temporary urls which could result in access to data by anyone with access to the logfiles

Bug 1850156 (CVE-2017-8761) - CVE-2017-8761 openstack-swift: logs valid temporary urls which could result in access to data by anyone with access to the logfiles

Summary: CVE-2017-8761 openstack-swift: logs valid temporary urls which could result i...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2017-8761
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1860528 1860529 1860530 1860531 1860532 1860533 1860534
Blocks:	1850159
TreeView+	depends on / blocked

Reported:	2020-06-23 15:38 UTC by Michael Kaplan
Modified:	2021-10-28 18:10 UTC (History)
CC List:	23 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in openstack-swift, where the proxy server logs valid temporary URLs, that might be used to gain access to data by anyone with access to the logfiles. This is especially important with tempurls that are valid for extended periods or when using central logging servers, accessed by operators that have no access to the Swift servers. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:	2021-10-28 18:10:30 UTC

Attachments	(Terms of Use)

Description Michael Kaplan 2020-06-23 15:38:30 UTC

The proxy server will log valid temporary urls, that might be used to gain access to data by anyone with access to the logfiles. This is especially important with tempurls that are valid for extended
periods and/or when using central logging servers, accessed by operators that have no access to the Swift servers.

References:

https://bugs.launchpad.net/swift/+bug/1685798

Comment 1 Hardik Vyas 2020-06-24 15:32:21 UTC

Statement:

Openstack Swift is no longer supported with the recent release of Red Hat Gluster Storage 3.5, hence openstack-swift will not be updated for this flaw.

Comment 2 Kunjan Rathod 2020-06-25 00:40:10 UTC

This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 3 Nick Tait 2020-07-24 22:33:55 UTC

Created openstack-swift tracking bugs for this issue:

Affects: openstack-rdo [bug 1860528]

Comment 6 Nick Tait 2020-07-30 16:32:05 UTC

External References:

https://bugs.launchpad.net/swift/+bug/1685798

Note You need to log in before you can comment on or make changes to this bug.

aileenc
chazlett
derekh
drieden
ggaughan
gmalinko
hvyas
janstey
jjoyce
jochrist
jschluet
jwon
kbasil
lhh
lpeer
mburns
ntait
sclewis
slinaber
srevivo
swiftbugzilla
tshefi
zaitcev