Date: Mon, 25 Nov 2013 15:36:04 +0100 From: Thierry Carrez <thierry@...nstack.org> To: Open Source Security <oss-security@...ts.openwall.com> Subject: [OSSA 2013-031] Ceilometer DB2/MongoDB backend password leak (CVE-2013-6384) OpenStack Security Advisory: 2013-031 CVE: CVE-2013-6384 Date: November 25, 2013 Title: Ceilometer DB2/MongoDB backend password leak Reporter: Eric Brown (IBM) Products: Ceilometer Affects: All supported versions Description: Eric Brown from IBM reported an information leak in Ceilometer logs. The password for the DB2 or MongoDB backends was logged at INFO level in the ceilometer-api logs. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB backends are affected. Icehouse (development branch) fix: https://review.openstack.org/#/c/54553/ Havana fix: https://review.openstack.org/#/c/56396/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6384 https://bugs.launchpad.net/ceilometer/+bug/1244476 Regards, -- Thierry Carrez OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (902 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.