Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 25 Nov 2013 15:36:04 +0100
From: Thierry Carrez <thierry@...nstack.org>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: [OSSA 2013-031] Ceilometer DB2/MongoDB backend password leak (CVE-2013-6384)

OpenStack Security Advisory: 2013-031
CVE: CVE-2013-6384
Date: November 25, 2013
Title: Ceilometer DB2/MongoDB backend password leak
Reporter: Eric Brown (IBM)
Products: Ceilometer
Affects: All supported versions

Description:
Eric Brown from IBM reported an information leak in Ceilometer logs. The
password for the DB2 or MongoDB backends was logged at INFO level in the
ceilometer-api logs. An attacker with access to the logs (local shell,
log aggregation system access, or accidental leak) may leverage this
vulnerability to elevate privileges and gain direct full access to the
Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB
backends are affected.

Icehouse (development branch) fix:
https://review.openstack.org/#/c/54553/

Havana fix:
https://review.openstack.org/#/c/56396/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6384
https://bugs.launchpad.net/ceilometer/+bug/1244476

Regards,

-- 
Thierry Carrez
OpenStack Vulnerability Management Team


Download attachment "signature.asc" of type "application/pgp-signature" (902 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.