OpenStack Security Advisory: 2014-004 CVE: CVE-2014-1948 Date: February 12, 2014 Title: Glance Swift store backend password leak Reporter: Nikhil Komawar (Rackspace) Products: Glance Versions: 2013.2 versions up to 2013.2.1 Description: Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the Swift store backend is logged at WARNING level as part of the URL when authentication to a store fails if image location is not disabled by policy or the store is a single-tenant configuration. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance Swift store backend. Only Glance setups using the Swift store backend are affected. Icehouse (development branch) fix: https://review.openstack.org/71419 Havana fix: https://review.openstack.org/72473 Notes: This fix will be included in the icehouse-2 development milestone and the upcoming 2013.2.2 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1948 https://launchpad.net/bugs/1275062 -- Jeremy Stanley OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 966 bytes Desc: Digital signature URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140212/14c1f881/attachment.pgp>