Bug 1420990 (CVE-2017-2621) - CVE-2017-2621 openstack-heat: /var/log/heat/ is world readable
Summary: CVE-2017-2621 openstack-heat: /var/log/heat/ is world readable
Alias: CVE-2017-2621
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1420997 1420998 1420999 1422265
Blocks: 1418888
TreeView+ depends on / blocked
Reported: 2017-02-10 04:46 UTC by Summer Long
Modified: 2021-02-17 02:36 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An access-control flaw was found in the OpenStack Orchestration (heat) service where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information.
Clone Of:
Last Closed: 2017-06-14 23:13:05 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1243 0 normal SHIPPED_LIVE Moderate: openstack-heat security, bug fix, and enhancement update 2017-05-17 16:18:42 UTC
Red Hat Product Errata RHSA-2017:1464 0 normal SHIPPED_LIVE Moderate: openstack-heat security and bug fix update 2017-06-14 19:28:36 UTC

Description Summer Long 2017-02-10 04:46:10 UTC
The directory /var/log/heat is world readable and contains log files that are readable, which can result in the exposure of sensitive information. The 'other readable/execute' bits need to be removed from the /var/log/heat directory:

[stack@instack ~]$ ls -la /var/log/heat
total 39376
drwxr-xr-x.  2 heat root     4096 Feb  9 01:07 .
drwxr-xr-x. 31 root root     4096 Feb  9 01:02 ..
-rw-r--r--.  1 heat heat   201578 Feb  9 20:09 heat-api-cfn.log
-rw-r--r--.  1 heat heat  4899693 Feb  9 20:09 heat-api.log
-rw-r--r--.  1 heat heat 35193112 Feb  9 23:40 heat-engine.log

Comment 1 Summer Long 2017-02-10 05:07:35 UTC

Name: Hans Feldt (Ericsson)

Comment 3 Summer Long 2017-02-14 22:23:48 UTC
Created openstack-heat tracking bugs for this issue:

Affects: openstack-rdo [bug 1422265]

Comment 9 errata-xmlrpc 2017-05-17 12:19:50 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:1243 https://access.redhat.com/errata/RHSA-2017:1243

Comment 10 errata-xmlrpc 2017-06-14 15:37:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2017:1464 https://access.redhat.com/errata/RHSA-2017:1464

Note You need to log in before you can comment on or make changes to this bug.