Mirantis OpenStack

[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)

Bug #1572594 reported by Vitaly Sedelnik on 2016-04-20

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Fix Released	High	Alexey Stupnikov	Mirantis OpenStack 9.0
7.0.x	Fix Released	High	Alexey Stupnikov	Mirantis OpenStack 7.0-updates
8.0.x	Invalid	High	Alexey Stupnikov	Mirantis OpenStack 8.0-updates
9.x	Fix Released	High	Alexey Stupnikov	Mirantis OpenStack 9.0

Bug Description

The upstream fix for https://bugs.launchpad.net/nova/+bug/1516765 needs to be cherry-picked to MOS 7.0

Upstream patch https://review.openstack.org/#/c/249239/

Tags:

CVE References

2015-8749

Vitaly Sedelnik (vsedelnik) on 2016-04-20

Changed in mos:
importance:	Undecided → High

Vitaly Sedelnik (vsedelnik) on 2016-04-20

information type:	Public → Public Security
Changed in mos:
milestone:	7.0-updates → 7.0-mu-4

Alexey Stupnikov (astupnikov) on 2016-05-12

Changed in mos:
assignee:	MOS Maintenance (mos-maintenance) → Alexey Stupnikov (astupnikov)

Revision history for this message

Alexey Stupnikov (astupnikov) wrote on 2016-05-12:

MOS 7.0 patch https://review.fuel-infra.org/#/c/20545/

Changed in mos:
status:	Confirmed → In Progress

Revision history for this message

Alexey Stupnikov (astupnikov) wrote on 2016-05-12:

We will take security fix into nova without specific testing and steps to reproduce (MOS do not support XEN hypervisor)

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-05-12: Fix merged to openstack/nova (openstack-ci/fuel-7.0/2015.1.0)

Reviewed: https://review.fuel-infra.org/20545
Submitter: Denis V. Meltsaykin <email address hidden>
Branch: openstack-ci/fuel-7.0/2015.1.0

Commit: d9f4111bd083c8fd1a13aac6ff8ff842725eb15a
Author: Matt Riedemann <email address hidden>
Date: Thu May 12 09:47:32 2016

xen: mask passwords in volume connection_data dict

The connection_data dict can have credentials in it, so we need to scrub
those before putting the stringified dict into the StorageError message
and raising that up and when logging the dict.

Note that strutils.mask_password converts the dict to a string using
six.text_type so we don't have to do that conversion first.

SecurityImpact

Change-Id: Ic5f4d4c26794550a92481bf2b725ef5eafa581b2
Closes-Bug: #1572594
(cherry picked from commit 8b289237ed6d53738c22878decf0c429301cf3d0)
(cherry picked from commit cf197ec2d682fb4da777df2291ca7ef101f73b77)

Changed in mos:
status:	In Progress → Fix Committed

Vitaly Sedelnik (vsedelnik) on 2016-06-20

Changed in mos:
status:	Fix Committed → Fix Released

Adam Heczko (aheczko-mirantis) on 2016-06-21

tags:

added: feature-security

Revision history for this message

Alexey Stupnikov (astupnikov) wrote on 2016-06-22:

Closing as invalid for MOS 8.0, since the patch was already taken to nova's openstack-ci/fuel-8.0/liberty branch. Upstream bug #1516765.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.