==========================================================================
OSSA-2019-003: Nova Server Resource Faults Leak External Exception Details
==========================================================================
:Date: August 06, 2019
:CVE: CVE-2019-14433
Affects
~~~~~~~
- Nova: <17.0.12,>=18.0.0<18.2.2,>=19.0.0<19.0.2
Description
~~~~~~~~~~~
Donny Davis with Intel reported a vulnerability in Nova Compute
resource fault handling. If an API request from an authenticated user
ends in a fault condition due to an external exception, details of the
underlying environment may be leaked in the response and could include
sensitive configuration or other data.
Patches
~~~~~~~
- https://review.openstack.org/674908 (Ocata)
- https://review.openstack.org/674877 (Pike)
- https://review.openstack.org/674859 (Queens)
- https://review.openstack.org/674848 (Rocky)
- https://review.openstack.org/674828 (Stein)
- https://review.openstack.org/674821 (Train)
Credits
~~~~~~~
- Donny Davis from Intel (CVE-2019-14433)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1837877
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14433
Notes
~~~~~
- The stable/ocata and stable/pike branches are under extended maintenance and
will receive no new point releases, but patches for them are provided as a
courtesy.
--
Jeremy Stanley
OpenStack Vulnerability Management Team
OSSA-2019-003: Nova Server Resource Faults Leak External Exception Details
==========================================================================
:Date: August 06, 2019
:CVE: CVE-2019-14433
Affects
~~~~~~~
- Nova: <17.0.12,>=18.0.0<18.2.2,>=19.0.0<19.0.2
Description
~~~~~~~~~~~
Donny Davis with Intel reported a vulnerability in Nova Compute
resource fault handling. If an API request from an authenticated user
ends in a fault condition due to an external exception, details of the
underlying environment may be leaked in the response and could include
sensitive configuration or other data.
Patches
~~~~~~~
- https://review.openstack.org/674908 (Ocata)
- https://review.openstack.org/674877 (Pike)
- https://review.openstack.org/674859 (Queens)
- https://review.openstack.org/674848 (Rocky)
- https://review.openstack.org/674828 (Stein)
- https://review.openstack.org/674821 (Train)
Credits
~~~~~~~
- Donny Davis from Intel (CVE-2019-14433)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1837877
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14433
Notes
~~~~~
- The stable/ocata and stable/pike branches are under extended maintenance and
will receive no new point releases, but patches for them are provided as a
courtesy.
--
Jeremy Stanley
OpenStack Vulnerability Management Team
Attached Files:
-
signature.asc (0.94 KB)