PT-2013-6022 · Openstack+2 · Openstack Ceilometer+2

Eric Brown

Published

2013-11-23

Updated

2020-10-21

CVE-2013-6384

CVSS v2.0

1.9

Low

Vector

AV:L/AC:M/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenStack Ceilometer versions 2013.2 and earlier

Description The issue allows local users to obtain sensitive information, specifically the DB2 or MongoDB password, by reading the log file when the logging level is set to INFO. This occurs because the connection string from ceilometer.conf is logged by impl db2.py and impl mongodb.py.

Recommendations For OpenStack Ceilometer versions 2013.2 and earlier, consider changing the logging level from INFO to a less verbose setting to prevent sensitive information from being logged. As a temporary workaround, restrict access to the log files to minimize the risk of exploitation.

Exploit

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

CVE-2013-6384

Affected Products

Db2

Mongodb

Openstack Ceilometer

PT-2013-6022 · Openstack+2 · Openstack Ceilometer+2

CVE-2013-6384

Weakness Enumeration

Related Identifiers

Affected Products

References · 7