Bug 1143673 - (CVE-2019-14433) VUL-0: CVE-2019-14433: openstack-nova: Nova Server Resource Faults Leak External Exception Details
(CVE-2019-14433)
VUL-0: CVE-2019-14433: openstack-nova: Nova Server Resource Faults Leak Exte...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/238499
CVSSv3:SUSE:CVE-2019-14433:6.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-31 14:50 UTC by Alexandros Toptsoglou
Modified: 2022-04-14 12:50 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 13 Joseph Davis 2019-08-06 21:47:20 UTC
Looks like the patches have been posted upstream in openstack/nova

https://review.opendev.org/#/q/topic:bug/1837877+(status:open+OR+status:merged)
stable/pike - https://review.opendev.org/#/c/674877/

Waiting for gates to pass and approvals to merge.
Comment 14 Alexandros Toptsoglou 2019-08-07 08:08:47 UTC
now public through oss
=========================================================================
OSSA-2019-003: Nova Server Resource Faults Leak External Exception Details
==========================================================================

:Date: August 06, 2019
:CVE: CVE-2019-14433


Affects
~~~~~~~
- Nova: <17.0.12,>=18.0.0<18.2.2,>=19.0.0<19.0.2


Description
~~~~~~~~~~~
Donny Davis with Intel reported a vulnerability in Nova Compute
resource fault handling. If an API request from an authenticated user
ends in a fault condition due to an external exception, details of the
underlying environment may be leaked in the response and could include
sensitive configuration or other data.


Patches
~~~~~~~
- https://review.openstack.org/674908 (Ocata)
- https://review.openstack.org/674877 (Pike)
- https://review.openstack.org/674859 (Queens)
- https://review.openstack.org/674848 (Rocky)
- https://review.openstack.org/674828 (Stein)
- https://review.openstack.org/674821 (Train)


Credits
~~~~~~~
- Donny Davis from Intel (CVE-2019-14433)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1837877
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14433


Notes
~~~~~
- The stable/ocata and stable/pike branches are under extended maintenance and
  will receive no new point releases, but patches for them are provided as a
  courtesy.
Comment 16 Gabriele Sonnu 2022-04-14 12:50:33 UTC
Done.