Bugzilla – Bug 884535
VUL-0: CVE-2014-4615: openstack-neutron,openstack-ceilometer,python-pycadf: token leak to message queue
Last modified: 2014-09-30 11:41:14 UTC
The OpenStack project reports:
Title: User token leak to message queue in pyCADF notifier middleware
Reporter: Zhi Kun Liu (IBM)
Products: Neutron (2014.1 versions up to 2014.1.1)
Ceilometer (2013.2 versions up to 2013.2.3,
2014.1 versions up to 2014.1.1)
pyCADF library (all versions up to 0.5.0)
Zhi Kun Liu from IBM reported a vulnerability in the notifier middleware
available in the PyCADF library and formerly copied into Neutron and
Ceilometer code. An attacker with read access to the message queue may
obtain authentication tokens used in REST requests (X_AUTH_TOKEN) that
goes through the notifier middleware. All services using the notifier
middleware configured after the auth_token middleware pipeline are impacted.
I have a hard time figuring out which of our products are affected. E.g. Cloud4 uses 2014.1.1.dev1.g096106f which is older than 2014.1.1 (that's my current understanding). I would appreciate if you could provide some insight into the versioning of OpenStack while analyzing this bug so I can prepare the bug report better the next time. Thanks.
bugbot adjusting priority
(In reply to comment #0)
> I have a hard time figuring out which of our products are affected. E.g. Cloud4
> uses 2014.1.1.dev1.g096106f which is older than 2014.1.1 (that's my current
> understanding). I would appreciate if you could provide some insight into the
> versioning of OpenStack while analyzing this bug so I can prepare the bug
> report better the next time. Thanks.
Taking 2014.1.1.dev1.g096106f as an example: this means that it's 2014.1.0 (which is 2014.1) + 1 commit (dev1) with the current git HEAD being 096106f.
For the record, the fix in ceilometer is 2b6454f9f4e0585949ab68a91ed405755438d76e and it's in Devel:Cloud:4, but needs to be pushed for an update.
The fix for neutron is in 0324965a0c2987e5cad6276f011682dec184205f. It's also in Devel:Cloud:4, and so just needs to be pushed for the update.
Bernhard: since we ship python-pycadf in Cloud 4, can you also make sure it's up-to-date?
We already have python-pycadf 0.5.1 everywhere.
Added bnc+CVE refs to ceilometer+neutron packages
https://build.suse.de/request/show/43197 Cloud3 / openstack-ceilometer
AFAIU this should be the only required maintenance-update
because Cloud4 GM already had the other two fixes
and our pycadf is newer than 0.5.0.
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-09-15.
When done, reassign the bug to firstname.lastname@example.org.
released i think... j,mm