[openstack-announce] [OSSA-2020-001] Nova can leak consoleauth token into log files (CVE-2015-9543)

Jeremy Stanley fungi at yuggoth.org
Wed Feb 19 17:09:18 UTC 2020


=============================================================
OSSA-2020-001: Nova can leak consoleauth token into log files
=============================================================

:Date: February 19, 2020
:CVE: CVE-2015-9543


Affects
~~~~~~~
- Nova: <18.2.4,>=19.0.0<19.1.0,>=20.0.0<20.1.0


Description
~~~~~~~~~~~
Paul Carlton from HP reported a vulnerability in Nova. An attacker
with read access to the service’s logs may obtain tokens used for
console access. All Nova setups using novncproxy are affected.


Patches
~~~~~~~
- https://review.opendev.org/707845 (Queens)
- https://review.opendev.org/704255 (Rocky)
- https://review.opendev.org/702181 (Stein)
- https://review.opendev.org/696685 (Train)
- https://review.opendev.org/220622 (Ussuri)


Credits
~~~~~~~
- Paul Carlton from HP (CVE-2015-9543)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1492140
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9543


Notes
~~~~~
- The stable/queens branch is under extended maintenance and will receive no
  new point releases, but a patch for it is provided as a courtesy.

-- 
Jeremy Stanley, on behalf of OpenStack Vulnerability Management
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20200219/f7570ce7/attachment.sig>


More information about the OpenStack-announce mailing list