The string concerned is read from a ceilometer config file /etc/ceilometer/pipeline.yaml, that should be protected from an attacker by host-level file permissions. For example, here it's used to provide the logic to scale the delta in cumulative CPU time in nanos for multiple vcpus to a single utilization percentage: https://github.com/openstack/ceilometer/blob/master/etc/ceilometer/pipeline.yaml#L46 The string to be eval'd is not submitted via the ceilometer API, so is not part of the "attack surface" as I would understand it. -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1367022 Title: Un-sanitized eval may have security impact Status in OpenStack Telemetry (Ceilometer): New Status in OpenStack Security Advisories: Incomplete Bug description: On this line: https://github.com/openstack/ceilometer/blob/master/ceilometer/transformer/conversions.py#L62 eval is used for some transformation. The comments near by suggest that it is used for a 'multiplicative factor or else a string to be eval'd'. If an attacker is able to provide an input like "__import__('os').system('rm -rf /etc')" the process will delete the etc directory with the privileges of the user that is running Ceilometer. Eval input should always be sanitized. I was unable to find any places that this is actually used, but this should definitely be hardened. To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1367022/+subscriptions