CVE request for vulnerability in OpenStack Nova

[Grant Murphy <grant.murphy () hpe com>]

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.

Title: Xen connection password leak in logs via StorageError
Reporter: Matt Riedemann (IBM)
Products: Nova
Affects: >= 2014.2 <= 2015.1.2, ==12.0.0

Description:
Matt Riedemann from IBM reported an information disclosure vulnerability
in Nova. If a StorageError occurs when attempting to connect a volume
using the Xen API, the connection parameters will be logged. These
parameters may include credentials that are not masked. An attacker
with read access to Nova logs could use these credentials with the
Xen API directly. Only Nova deployments using the Xen backend are
affected by this flaw.

References:
https://launchpad.net/bugs/1516765

Thanks in advance,

--
Grant Murphy
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: