A vulnerability was discovered that all the data from the TripleO heat stack (user provided and generated passwords, certificates, ssh keys) are available in the mistral logs on the undercloud, in clear text.
Created openstack-mistral-3 tracking bugs for this issue:
Affects: openstack-rdo [bug 1770043]
Upstream bug: https://bugs.launchpad.net/tripleo/+bug/1850843
Patch for Pike and newer: https://launchpadlibrarian.net/449472809/0001-Ensure-we-mask-sensitive-data-from-Mistral-Action-lo.patch
Name: the OpenStack project
Upstream: Gauvain Pocentek and Clément Beaufils (Kindred Group PLC)
Patch for Ocata and older: https://launchpadlibrarian.net/449473654/0001-Ensure-we-mask-sensitive-data-from-Mistral-Action-lo.patch
Plain text information can be masked by ensuring that all mistral log files are not world readable.
This issue has been addressed in the following products:
Red Hat Quay 3
Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
In Red Hat OpenStack Platform 10/13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP10/13 openstack-mistral package.