Home page logo

oss-sec logo oss-sec mailing list archives

CVE request for a vulnerability in OpenStack Ceilometer
From: Thierry Carrez <thierry () openstack org>
Date: Fri, 22 Nov 2013 16:57:52 +0100

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.

Title: Ceilometer DB2/MongoDB backend password leak
Reporter: Eric Brown (IBM)
Products: Ceilometer
Affects: All supported versions

Eric Brown from IBM reported an information leak in Ceilometer logs. The
password for the DB2 or MongoDB backends was logged at INFO level in the
ceilometer-api logs. An attacker with access to the logs (local shell,
log aggregation system access, or accidental leak) may leverage this
vulnerability to elevate privileges and gain direct full access to the
Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB
backends are affected.


Thanks in advance,

Thierry Carrez (ttx)
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: OpenPGP digital signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]