Date: Wed, 12 Feb 2014 17:14:44 +0000 From: Jeremy Stanley <jeremy@...nstack.org> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-004] Glance Swift store backend password leak (CVE-2014-1948) OpenStack Security Advisory: 2014-004 CVE: CVE-2014-1948 Date: February 12, 2014 Title: Glance Swift store backend password leak Reporter: Nikhil Komawar (Rackspace) Products: Glance Versions: 2013.2 versions up to 2013.2.1 Description: Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the Swift store backend is logged at WARNING level as part of the URL when authentication to a store fails if image location is not disabled by policy or the store is a single-tenant configuration. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance Swift store backend. Only Glance setups using the Swift store backend are affected. Icehouse (development branch) fix: https://review.openstack.org/71419 Havana fix: https://review.openstack.org/72473 Notes: This fix will be included in the icehouse-2 development milestone and the upcoming 2013.2.2 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1948 https://launchpad.net/bugs/1275062 -- Jeremy Stanley OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (967 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.