Bug 957033 - (CVE-2013-2013) CVE-2013-2013 OpenStack keystone: password disclosure on command line
CVE-2013-2013 OpenStack keystone: password disclosure on command line
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120222,reported=2...
: Security
Depends On: 957034 957035 957036 971746 971837
Blocks: 957037
  Show dependency treegraph
 
Reported: 2013-04-26 04:29 EDT by Kurt Seifried
Modified: 2016-04-26 10:33 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-06 19:32:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 938315 None None None Never

  None (edit)
Description Kurt Seifried 2013-04-26 04:29:59 EDT
Jake Dahn reports:

Updating password via CLI should be done via a secure password prompt, not text.

current: keystone user-password-update --user=jake --password=foo

expected: keystone user-password-update --user=jake
                        Password:
                        Repeat Password:

OpenStack keystone places a username and password on the command line,
which allows local users to obtain credentials by listing the process.
Comment 1 Kurt Seifried 2013-04-26 04:33:36 EDT
Created openstack-keystone tracking bugs for this issue

Affects: fedora-all [bug 957034]
Comment 2 Kurt Seifried 2013-04-26 04:34:34 EDT
Created openstack-keystone tracking bugs for this issue

Affects: epel-6 [bug 957035]
Comment 5 Kurt Seifried 2013-05-22 19:38:58 EDT
Jeremy Stanley (jeremy@openstack.org) reports:

Title: Keystone client local information disclosure
Reporter: Jake Dahn (Nebula)
Products: python-keystoneclient
Affects: All versions

Description:
Jake Dahn from Nebula reported a vulnerability that the keystone
client only allows passwords to be updated in a clear text
command-line argument, which may enable other local users to obtain
sensitive information by listing the process and potentially leaves
a record of the password within the shell command history.

Fix:
https://review.openstack.org/28702

External references:
https://bugs.launchpad.net/python-keystoneclient/+bug/938315
Comment 6 Jan Lieskovsky 2013-06-07 07:40:17 EDT
Created python-keystoneclient tracking bugs for this issue

Affects: fedora-rawhide [bug 971837]
Comment 7 Alan Pevec 2013-06-28 15:16:48 EDT
Fixed in python-keystoneclient 0.2.4

http://github.com/openstack/python-keystoneclient/commit/f2e0818bc97bfbeba83f6abbb07909a8debcad77
Comment 8 Fedora Update System 2013-08-19 14:07:38 EDT
python-keystoneclient-0.2.0-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-08-20 20:08:58 EDT
python-keystoneclient-0.2.0-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Garth Mollett 2014-03-06 19:32:12 EST
Statement:

The Red Hat Security Response Team has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.