The OpenStack project reports: "" Reporter: Amrith Kumar (Tesora) Products: Cinder, Nova, Trove Versions: up to 2013.2.3, 2014.1 versions up to 2014.1.2 Description: Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that have failed or when the mask_password did not mask passwords properly. "" CVE request: http://seclists.org/oss-sec/2014/q3/846 References: https://launchpad.net/bugs/1343604 https://launchpad.net/bugs/1345233
MITRE assigned CVE-2014-7230 and CVE-2014-7231. Quoting http://seclists.org/oss-sec/2014/q3/853 "" There are (at least) two CVE IDs needed because of the different vulnerability types. The older code in which processutils.execute was simply logging cmd directly, without any masking step, can be considered an instance of the http://cwe.mitre.org/data/definitions/532.html issue. For this, use CVE-2014-7230. The older code with a short _FORMAT_PATTERNS list, with a later replacement by longer _FORMAT_PATTERNS_1 and _FORMAT_PATTERNS_2 lists, can be considered an instance of the http://cwe.mitre.org/data/definitions/184.html issue. Bug #1343604 mentions 'mask_password did not, for example, catch the usage ... /usr/sbin/mysqld --password=top-secret ... They did catch ... /usr/sbin/mysqld --password="top-secret" ... make the strings in strutils.mask_password more robust.' For this, use CVE-2014-7231. ""
Created openstack-nova tracking bugs for this issue: Affects: fedora-all [bug 1150811]
Created openstack-cinder tracking bugs for this issue: Affects: fedora-all [bug 1150810]
From upstream: " Notes: The former patch did not cover the ssh_execute method used in Nova and Cinder, thus two more patches are required for these projects. Nova and Cinder fixes are included in the 2014.2rc2 release candidate and will appear in a future 2014.1.4 release. Trove fix was included in the 2014.2rc1 release candidate and 2014.1.3 release. "
https://bugs.launchpad.net/ossa/+bug/1377981
Going by the assignment from MITRE, the ssh_execute case is not covered by these 2 CVE assignments. The ssh_execute case should be considered a separate bug and is currently considered a hardening fix and has no CVE assignment.
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1788 https://rhn.redhat.com/errata/RHSA-2014-1788.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1787 https://rhn.redhat.com/errata/RHSA-2014-1787.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1782 https://rhn.redhat.com/errata/RHSA-2014-1782.html
This issue has been addressed in the following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1689 https://rhn.redhat.com/errata/RHSA-2014-1689.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1939 https://rhn.redhat.com/errata/RHSA-2014-1939.html