CRITICAL 9.8

GHSA-f4g4-cj8f-3cr9

OpenStack Nova logs sensitive context from notification exceptions

Details

An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / nova

Introduced in: 13.0.0 Fixed in: 13.1.4

Fix pip install --upgrade 'nova>=13.1.4'

PyPI / nova

Introduced in: 14.0.0 Fixed in: 14.0.5

Fix pip install --upgrade 'nova>=14.0.5'

PyPI / nova

Introduced in: 15.0.1 Fixed in: 15.0.2

Fix pip install --upgrade 'nova>=15.0.2'

References

https://nvd.nist.gov/vuln/detail/CVE-2017-7214 [ADVISORY]
https://github.com/openstack/nova/commit/3f985f1eda6f29180878a3d21c20c5057179486a [WEB]
https://github.com/openstack/nova/commit/acb19160d4d348e29a21ad57c61c7369352c4d1c [WEB]
https://github.com/openstack/nova/commit/c2c91ce44592fc5dc2aacee1cf7f5b5cfd2e9a0a [WEB]
https://github.com/openstack/nova/commit/e193201fa1de5b08b29adefd8c149935c5529598 [WEB]
https://access.redhat.com/errata/RHSA-2017:1508 [WEB]
https://access.redhat.com/errata/RHSA-2017:1595 [WEB]
https://github.com/openstack/nova [PACKAGE]
https://launchpad.net/bugs/1673569 [WEB]
http://www.securityfocus.com/bid/96998 [WEB]