Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 515050 (CVE-2014-4615) - <dev-python/pycadf-0.5-r1, sys-cluster/neutron: token leak to message queue (CVE-2014-4615) (OSSA 2014-021)
Summary: <dev-python/pycadf-0.5-r1, sys-cluster/neutron: token leak to message queue (...
Status: RESOLVED FIXED
Alias: CVE-2014-4615
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-25 07:21 UTC by Agostino Sarubbo
Modified: 2016-03-29 08:03 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-25 07:21:53 UTC
From ${URL} :

The OpenStack project reports:

""
Title: User token leak to message queue in pyCADF notifier middleware
Reporter: Zhi Kun Liu (IBM)
Products: Neutron    (2014.1 versions up to 2014.1.1)
          Ceilometer (2013.2 versions up to 2013.2.3,
                      2014.1 versions up to 2014.1.1)
          pyCADF library (all versions up to 0.5.0)

Description:
Zhi Kun Liu from IBM reported a vulnerability in the notifier middleware
available in the PyCADF library and formerly copied into Neutron and
Ceilometer code. An attacker with read access to the message queue may
obtain authentication tokens used in REST requests (X_AUTH_TOKEN) that
goes through the notifier middleware. All services using the notifier
middleware configured after the auth_token middleware pipeline are impacted.
""


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Agostino Sarubbo gentoo-dev 2014-06-26 09:58:09 UTC
pyCADF fix (included in 0.5.1 release):
https://review.openstack.org/94878      (pyCADF)

Juno (development branch) fix:
https://review.openstack.org/94891      (Neutron)

Icehouse fix:
https://review.openstack.org/101097     (Neutron)
https://review.openstack.org/96944      (Ceilometer)

Havana fix:
https://review.openstack.org/101799     (Ceilometer)

Notes:
Ceilometer Juno (master) branch is not affected.
Those fixes will be included in the Juno-2 development milestone and in
future 2013.2.4 and 2014.1.2 releases.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-27 05:59:59 UTC
https://bugs.launchpad.net/oslo/+bug/1321080

better link
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2014-06-27 10:54:58 UTC
*pycadf-0.5-r1 (27 Jun 2014)

  27 Jun 2014; Ian Delaney <idella4@gentoo.org> +files/CVE-2014-4615.patch,
  +pycadf-0.5-r1.ebuild, -pycadf-0.5.ebuild:
  sec. patch wrt Bug #515050, add IUSE, doc build, fix test phase, rm vuln.
  version
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-27 23:09:41 UTC
does this mean we need to fix it outside of the pycadf lib?
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 00:41:04 UTC
CVE-2014-4615 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4615):
  The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry
  (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron
  2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote
  authenticated users to obtain X_AUTH_TOKEN values by reading the message
  queue (v2/meters/http.request).
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 00:41:18 UTC
CVE-2014-4615 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4615):
  The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry
  (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron
  2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote
  authenticated users to obtain X_AUTH_TOKEN values by reading the message
  queue (v2/meters/http.request).
Comment 7 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-01-13 04:07:37 UTC
ya, don't see any vulnerable versions of either package in tree
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-29 08:03:45 UTC
No vulnerable versions in tree.