[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request for a vulnerability in OpenStack Ceilometer
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-11-22 16:36:24
Message-ID: 528F8808.7010106 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/22/2013 08:57 AM, Thierry Carrez wrote:
> A vulnerability was discovered in OpenStack (see below). In order
> to ensure full traceability, we need a CVE number assigned that we
> can attach to further notifications. This issue is already public,
> although an advisory was not sent yet.
> 
> """ Title: Ceilometer DB2/MongoDB backend password leak Reporter:
> Eric Brown (IBM) Products: Ceilometer Affects: All supported
> versions
> 
> Description: Eric Brown from IBM reported an information leak in
> Ceilometer logs. The password for the DB2 or MongoDB backends was
> logged at INFO level in the ceilometer-api logs. An attacker with
> access to the logs (local shell, log aggregation system access, or
> accidental leak) may leverage this vulnerability to elevate
> privileges and gain direct full access to the Ceilometer backend.
> Only Ceilometer setups using the DB2 or MongoDB backends are
> affected. """
> 
> References: https://bugs.launchpad.net/ceilometer/+bug/1244476
> 
> Thanks in advance,
> 

Please use CVE-2013-6384 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSj4gIAAoJEBYNRVNeJnmTN3EQAL2sYBkh9CpGpaa0Ues2HgcL
VebR8UIoOOM0jAUATDnDJinLMYOViTvAE4xyCb/oP9k8NkAgUq0ENRoFkqeEgZjY
hQCCEQR2m7yu5v9uf8cO3U9B0FPy7WEnWnw9Le5y/HRRC1Mga/WpUcWsODfyd2+q
6sDuLxluM0I34cdLMmCxgESYneR7PQR6yaXW6e3GOFunFGtoDhR10x7fpiSfY5ar
cAmvUneQ//StfEYAvGIUYCiQTxz1Sgmk9dnly89N67nyXHUZMgTnz50GS2xRjhxz
Y9Ke4yyOeiWkcRQz9lS8wXZfA/FJS3xGAyTVOvcVM5PV4aEQg/bhqRZcnNUqRntm
AWq7qFhgVNxlyY49CyBU7sbVx4LB1dniDvV1ZIUvyAYXdX48bEONGKkuWLOBJcZ+
wP9W4llCqiL80Q1GmaLnVzh5KyO5RpTt0EfgoaJb3yKQNKxruYFmf/zzZoozhx5A
rV7bljaNWBG0qyaKc7jQKUVqVA0w6Zxcc93UDz2CJddInAS/PWBxpW498nLPb5Zk
j90ObbOL4gIv46Qh8Hm7mOt+HT2Yg8D3csTITJnJKP3WLzRXaQcn5sOoj3Lxt8Zk
owkzAXHQV3H+449/6CuzZgYdRKiu+BfoQwxi4gTyH4n2BnvFCD18V/JZqTJQuI4T
vyvsFDXmJEei03mJqYr0
=/tjF
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]