Mirantis OpenStack

CatchErrors leaks sensitive values in oslo.middleware [OSSA-2017-001], [CVE-2017-2592]

  1. Series 10.0.x
  2. Bug #1667226
Bug #1667226 reported by Adam Heczko
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Status tracked in 10.0.x
10.0.x
Fix Committed
High
MOS Oslo
Mirantis OpenStack 10.0
7.0.x
Invalid
High
Sergii Rizvan
Mirantis OpenStack 7.0-updates
8.0.x
Invalid
High
MOS Maintenance
Mirantis OpenStack 8.0-updates
9.x
Invalid
High
MOS Maintenance
Mirantis OpenStack 9.x-updates

Bug Description

Detailed bug description:
Divya K Konoor with IBM reported a vulnerability in oslo.middleware.
Software using the CatchError class may include sensitive values in the error message accompanying a Traceback, resulting in their disclosure. For example, complete API requests (including keystone tokens in their headers) may leak into neutron error logs.

Expected results:
No sensitive information is leaking to log files.

Additional information:
https://github.com/openstack/ossa/blob/master/ossa/OSSA-2017-001.yaml
https://launchpad.net/bugs/1628031

reviews:
ocata:
https://review.openstack.org/425730

newton:
https://review.openstack.org/425732

mitaka:
https://review.openstack.org/425734

Backport to Liberty and Kilo was not proposed in upstream.
Therefore most likely we need to backport it to MOS in downstream.

Tags: area-oslo

CVE References

Vitaly Sedelnik (vsedelnik)
tags: added: area-oslo
Revision history for this message
Dmitry Mescheryakov (dmitrymex) wrote :

Fix for 10.0 is already merged, see our 10.0/newton log - https://review.fuel-infra.org/gitweb?p=openstack%2Foslo.middleware.git;a=shortlog;h=refs%2Fheads%2F10.0%2Fnewton

Revision history for this message
Dmitry Mescheryakov (dmitrymex) wrote :

Maintenance team, to get the fix into 9.0/mitaka, please merge https://review.fuel-infra.org/#/c/31296/

Revision history for this message
Dmitry Mescheryakov (dmitrymex) wrote :

Posted wrong link last time. The correct reference for MOS 9.x fix is merge commit https://review.fuel-infra.org/#/c/31260/

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

For 9.x the fix is obtained with a sync from mitaka, therefore I'm setting it as Invalid.

Revision history for this message
Sergii Rizvan (srizvan) wrote :

It's a minor bug in oslo_middleware in kilo and liberty: https://github.com/openstack/oslo.middleware/blob/liberty-eol/oslo_middleware/catch_errors.py#L40-L41

Because of that code '%s' doesn't substitutes with anything and we end up with such stracktrace in neutron log:

<163>May 25 14:31:11 node-2 neutron-server 2017-05-25 14:31:11.084 10287 ERROR oslo_middleware.catch_errors [-] An error occurred during processing the request: %s

That's why I've set status for kilo and liberty as Invalid.

Denis Meltsaykin (dmeltsaykin)
information type: Private Security → Public Security
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change restored on openstack/oslo.middleware (openstack-ci/fuel-7.0/2015.1.0)

Change restored by Pavlo Shchelokovskyy <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Review: https://review.fuel-infra.org/35411
Reason: still need this

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.