Launchpad.net

CVE 2014-4615

The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).

Related bugs and status

CVE-2014-4615 (Candidate) is related to these bugs:

Bug #1321080: [OSSA 2014-021] auth token is exposed in meter http.request (CVE-2014-4615)

		In	Importance	Status
1321080	[OSSA 2014-021] auth token is exposed in meter http.request (CVE-2014-4615)	oslo-incubator	Critical	Fix Released
1321080	[OSSA 2014-021] auth token is exposed in meter http.request (CVE-2014-4615)	pycadf	Critical	Fix Released
1321080	[OSSA 2014-021] auth token is exposed in meter http.request (CVE-2014-4615)	Ceilometer	Undecided	Invalid
1321080	[OSSA 2014-021] auth token is exposed in meter http.request (CVE-2014-4615)	OpenStack Security Advisory	Medium	Fix Released
1321080	[OSSA 2014-021] auth token is exposed in meter http.request (CVE-2014-4615)	neutron	Undecided	Fix Released
1321080	[OSSA 2014-021] auth token is exposed in meter http.request (CVE-2014-4615)	neutron icehouse	Undecided	Fix Released
1321080	[OSSA 2014-021] auth token is exposed in meter http.request (CVE-2014-4615)	Ceilometer havana	Critical	Fix Released
1321080	[OSSA 2014-021] auth token is exposed in meter http.request (CVE-2014-4615)	Ceilometer icehouse	Critical	Fix Committed
1321080	[OSSA 2014-021] auth token is exposed in meter http.request (CVE-2014-4615)	oslo-incubator havana	Critical	Fix Committed
1321080	[OSSA 2014-021] auth token is exposed in meter http.request (CVE-2014-4615)	oslo-incubator icehouse	Undecided	Fix Committed

Bug #1354159: [SRU] icehouse 2014.1.2 point release

		In	Importance	Status
1354159	[SRU] icehouse 2014.1.2 point release	nova (Ubuntu)	Undecided	Invalid
1354159	[SRU] icehouse 2014.1.2 point release	cinder (Ubuntu)	Undecided	Invalid
1354159	[SRU] icehouse 2014.1.2 point release	glance (Ubuntu)	Undecided	Invalid
1354159	[SRU] icehouse 2014.1.2 point release	ceilometer (Ubuntu)	Undecided	Invalid
1354159	[SRU] icehouse 2014.1.2 point release	heat (Ubuntu)	Undecided	Invalid
1354159	[SRU] icehouse 2014.1.2 point release	horizon (Ubuntu)	Undecided	Invalid
1354159	[SRU] icehouse 2014.1.2 point release	keystone (Ubuntu)	Undecided	Invalid
1354159	[SRU] icehouse 2014.1.2 point release	neutron (Ubuntu)	Undecided	Invalid
1354159	[SRU] icehouse 2014.1.2 point release	openstack-trove (Ubuntu)	Undecided	Won't Fix
1354159	[SRU] icehouse 2014.1.2 point release	ceilometer (Ubuntu Trusty)	Undecided	Fix Released
1354159	[SRU] icehouse 2014.1.2 point release	cinder (Ubuntu Trusty)	Undecided	Fix Released
1354159	[SRU] icehouse 2014.1.2 point release	glance (Ubuntu Trusty)	Undecided	Fix Released
1354159	[SRU] icehouse 2014.1.2 point release	heat (Ubuntu Trusty)	Undecided	Fix Released
1354159	[SRU] icehouse 2014.1.2 point release	horizon (Ubuntu Trusty)	Undecided	Fix Released
1354159	[SRU] icehouse 2014.1.2 point release	keystone (Ubuntu Trusty)	Undecided	Fix Released
1354159	[SRU] icehouse 2014.1.2 point release	neutron (Ubuntu Trusty)	Undecided	Fix Released
1354159	[SRU] icehouse 2014.1.2 point release	nova (Ubuntu Trusty)	Undecided	Fix Released
1354159	[SRU] icehouse 2014.1.2 point release	openstack-trove (Ubuntu Trusty)	Undecided	Won't Fix

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2014062...
MLIST: [oss-security] 2014062...
MLIST: [oss-security] 2014062...
REDHAT: RHSA-2014:1050
UBUNTU: USN-2311-1
BID: 68149
SECUNIA: 60643
SECUNIA: 60736
SECUNIA: 60766