[OSSA-2020-001] Nova can leak consoleauth token into log files (CVE-2015-9543)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[OSSA-2020-001] Nova can leak consoleauth token into log files (CVE-2015-9543)

Jeremy Stanley
=============================================================
OSSA-2020-001: Nova can leak consoleauth token into log files
=============================================================

:Date: February 19, 2020
:CVE: CVE-2015-9543


Affects
~~~~~~~
- Nova: <18.2.4,>=19.0.0<19.1.0,>=20.0.0<20.1.0


Description
~~~~~~~~~~~
Paul Carlton from HP reported a vulnerability in Nova. An attacker
with read access to the service’s logs may obtain tokens used for
console access. All Nova setups using novncproxy are affected.


Patches
~~~~~~~
- https://review.opendev.org/707845 (Queens)
- https://review.opendev.org/704255 (Rocky)
- https://review.opendev.org/702181 (Stein)
- https://review.opendev.org/696685 (Train)
- https://review.opendev.org/220622 (Ussuri)


Credits
~~~~~~~
- Paul Carlton from HP (CVE-2015-9543)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1492140
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9543


Notes
~~~~~
- The stable/queens branch is under extended maintenance and will receive no
  new point releases, but a patch for it is provided as a courtesy.

--
Jeremy Stanley, on behalf of OpenStack Vulnerability Management

_______________________________________________
OpenStack-announce mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce

signature.asc (981 bytes) Download Attachment