Bug 1296837 (CVE-2015-8749) - CVE-2015-8749 openstack-nova: Xen connection password leak in logs via StorageError
Summary: CVE-2015-8749 openstack-nova: Xen connection password leak in logs via Storag...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-8749
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1296838 1296839
Blocks: 1296840
TreeView+ depends on / blocked
 
Reported: 2016-01-08 08:55 UTC by Martin Prpič
Modified: 2021-02-17 04:32 UTC (History)
42 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-20 03:00:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Martin Prpič 2016-01-08 08:55:23 UTC 
Title: Xen connection password leak in logs via StorageError

Reporter: Matt Riedemann (IBM)
Products: Nova
Affects: >= 2014.2 <= 2015.1.2, ==12.0.0

Description:

Matt Riedemann from IBM reported an information disclosure vulnerability
in Nova. If a StorageError occurs when attempting to connect a volume
using the Xen API, the connection parameters will be logged. These
parameters may include credentials that are not masked. An attacker
with read access to Nova logs could use these credentials with the
Xen API directly. Only Nova deployments using the Xen backend are
affected by this flaw.

References:

https://launchpad.net/bugs/1516765
http://seclists.org/oss-sec/2016/q1/42
Comment 2 Martin Prpič 2016-01-08 08:56:47 UTC 
Created openstack-nova tracking bugs for this issue:

Affects: fedora-all [bug 1296839]
Comment 3 Summer Long 2016-01-20 00:05:14 UTC 
Statement:

Red Hat Enterprise Linux OpenStack Platform does not support the Xen hypervisor, and is therefore not affected by this flaw in any supported configuration.
Note You need to log in before you can comment on or make changes to this bug.