oss-sec mailing list archives
CVE request for a vulnerability in OpenStack Ceilometer
From: Thierry Carrez <thierry () openstack org>
Date: Fri, 22 Nov 2013 16:57:52 +0100
A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. """ Title: Ceilometer DB2/MongoDB backend password leak Reporter: Eric Brown (IBM) Products: Ceilometer Affects: All supported versions Description: Eric Brown from IBM reported an information leak in Ceilometer logs. The password for the DB2 or MongoDB backends was logged at INFO level in the ceilometer-api logs. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Ceilometer backend. Only Ceilometer setups using the DB2 or MongoDB backends are affected. """ References: https://bugs.launchpad.net/ceilometer/+bug/1244476 Thanks in advance, -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request for a vulnerability in OpenStack Ceilometer Thierry Carrez (Nov 22)
- Re: CVE request for a vulnerability in OpenStack Ceilometer Kurt Seifried (Nov 22)