Bug 1218640 (CVE-2015-3646) - CVE-2015-3646 openstack-keystone: cache backend password leak in log (OSSA 2015-008)
Summary: CVE-2015-3646 openstack-keystone: cache backend password leak in log (OSSA 20...
Alias: CVE-2015-3646
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1218642 1218644 1246362
Blocks: 1218647
TreeView+ depends on / blocked
Reported: 2015-05-05 13:20 UTC by Martin Prpič
Modified: 2021-02-17 05:20 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-07-28 06:29:15 UTC

Attachments (Terms of Use)

Description Martin Prpič 2015-05-05 13:20:36 UTC
The following flaw was found in Keystone:

Eric Brown from VMware reported a vulnerability in Keystone. The backend_argument configuration option content is being logged, and it may contain sensitive information for specific backends (like a password for MongoDB). An attacker with read access to Keystone logs may therefore obtain sensitive data about certain backends. All Keystone setups are potentially impacted.

Upstream patches:

https://review.openstack.org/175519 (Icehouse)
https://review.openstack.org/173116 (Juno)

Upstream bug:


Upstream advisory:


Comment 1 Martin Prpič 2015-05-05 13:23:31 UTC
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1218642]
Affects: openstack-rdo [bug 1218644]

Comment 3 Garth Mollett 2015-07-28 06:28:49 UTC

While this issue does occur in openstack-keystone packages as shipped in Red Hat Enterprise Linux OpenStack Platform versions 5 and 6 it is not believed to be exploitable as access to the keystone logs is restricted with file-system permissions.

Note You need to log in before you can comment on or make changes to this bug.