yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1377981] Re: Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1377981@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Oct 2014 13:19:52 -0000
Reply-to: Bug 1377981 <1377981@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/126594
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=ee3594072a7ef1c3f5661021fb31118069cbd646
Submitter: Jenkins
Branch:    proposed/juno

commit ee3594072a7ef1c3f5661021fb31118069cbd646
Author: Tristan Cacqueray <tristan.cacqueray@xxxxxxxxxxxx>
Date:   Fri Oct 3 19:53:42 2014 +0000

    Mask passwords in exceptions and error messages
    
    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a user with read access to
    the log files. It is therefore considered prudent to invoke
    strutils.mask_password() on the command, stdout and stderr in the
    exception. A test case has been added (to oslo-incubator) in order to
    ensure that all three are properly masked.
    
    An earlier commit (853d8f9897f8563851441108a9be26b10908c076) failed
    to address ssh_execute(). This change set addresses ssh_execute.
    
    OSSA is aware of this change request.
    
    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981


** Changed in: nova
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1377981

Title:
  Missing fix for ssh_execute (Exceptions thrown may contain passwords)
  (CVE-2014-7230, CVE-2014-7231)

Status in Cinder:
  Fix Released
Status in Cinder icehouse series:
  In Progress
Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Compute (nova) icehouse series:
  New
Status in The Oslo library incubator:
  Fix Released
Status in oslo-incubator icehouse series:
  New
Status in OpenStack Security Advisories:
  In Progress

Bug description:
  Former bugs:
    https://bugs.launchpad.net/ossa/+bug/1343604
    https://bugs.launchpad.net/ossa/+bug/1345233

  The ssh_execute method is still affected in Cinder and Nova Icehouse release.
  It is prone to password leak if:
  - passwords are used on the command line
  - execution fail
  - calling code catch and log the exception

  The missing fix from oslo-incubator to be merged is:
  6a60f84258c2be3391541dbe02e30b8e836f6c22

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1377981/+subscriptions

References

[Bug 1377981] [NEW] Missing fix for ssh_execute (Exceptions thrown may contain passwords)
From: Tristan Cacqueray, 2014-10-06