CVE-2014-7230

Published: 08 October 2014

The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.

Priority

Low

Status

Package Release Status
cinder
Launchpad, Ubuntu, Debian
Upstream
Released (2013.2.4, 2014.1.3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:2014.2~rc2-0ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(1:2014.2~rc2-0ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1:2014.1.3-0ubuntu1])
Patches:
Upstream: https://review.openstack.org/#/c/126052/ (juno)
Upstream: https://review.openstack.org/#/c/121382/ (icehouse)
Upstream: https://review.openstack.org/#/c/121095/ (havana)
nova
Launchpad, Ubuntu, Debian
Upstream
Released (2013.2.4, 2014.1.3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:2014.2~rc2-0ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(1:2014.2~rc2-0ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1:2014.1.3-0ubuntu1])
Patches:
Upstream: https://review.openstack.org/#/c/126047/ (juno)
Upstream: https://review.openstack.org/#/c/121383/ (icehouse)
Upstream: https://review.openstack.org/#/c/121096/ (havana)
trove
Launchpad, Ubuntu, Debian
Upstream
Released (2013.2.4, 2014.1.3)
Ubuntu 18.04 LTS (Bionic Beaver) Ignored

Ubuntu 16.04 ESM (Xenial Xerus) Ignored

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://review.openstack.org/#/c/121417/ (juno)
Upstream: https://review.openstack.org/#/c/121416/ (icehouse)

Notes

AuthorNote
jdstrand
nova/utils.py on Essex, but it only logs it with debug logging
enabled. Reducing the priority for nova on 12.04 LTS.
ebarretto
trove is GNU trove, and this bug affects Openstack trove. So
setting trove status to ignored.

References

Bugs