CatchErrors leaks sensitive values in oslo.middleware [OSSA-2017-001], [CVE-2017-2592]

Bug #1667226 reported by Adam Heczko
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Status tracked in 10.0.x
Fix Committed
MOS Oslo
Sergii Rizvan
MOS Maintenance
MOS Maintenance

Bug Description

Detailed bug description:
Divya K Konoor with IBM reported a vulnerability in oslo.middleware.
Software using the CatchError class may include sensitive values in the error message accompanying a Traceback, resulting in their disclosure. For example, complete API requests (including keystone tokens in their headers) may leak into neutron error logs.

Expected results:
No sensitive information is leaking to log files.

Additional information:




Backport to Liberty and Kilo was not proposed in upstream.
Therefore most likely we need to backport it to MOS in downstream.

Tags: area-oslo

CVE References

tags: added: area-oslo
Revision history for this message
Dmitry Mescheryakov (dmitrymex) wrote :
Revision history for this message
Dmitry Mescheryakov (dmitrymex) wrote :

Maintenance team, to get the fix into 9.0/mitaka, please merge

Revision history for this message
Dmitry Mescheryakov (dmitrymex) wrote :

Posted wrong link last time. The correct reference for MOS 9.x fix is merge commit

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

For 9.x the fix is obtained with a sync from mitaka, therefore I'm setting it as Invalid.

Revision history for this message
Sergii Rizvan (srizvan) wrote :

It's a minor bug in oslo_middleware in kilo and liberty:

Because of that code '%s' doesn't substitutes with anything and we end up with such stracktrace in neutron log:

<163>May 25 14:31:11 node-2 neutron-server 2017-05-25 14:31:11.084 10287 ERROR oslo_middleware.catch_errors [-] An error occurred during processing the request: %s

That's why I've set status for kilo and liberty as Invalid.

information type: Private Security → Public Security
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change restored on openstack/oslo.middleware (openstack-ci/fuel-7.0/2015.1.0)

Change restored by Pavlo Shchelokovskyy <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Reason: still need this

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.