OpenStack oslo.middleware Sensitive Data Leakage via Error Logs (CVE-2017-2592)

Critical Vulnerability Information Vulnerability ID: Bug 1414698 (CVE-2017-2592) Vulnerability Description: Software using the class in oslo.middleware may include sensitive values in error messages, which can be leaked into Neutron error logs. For example, complete API requests (including Keystone tokens in headers) may be exposed. Affected Versions: =3.9.0 =3.20.0 <=3.22.0 Fix Information Fixed Versions: python-oslo-middleware 3.8.1, python-oslo-middleware 3.19.1, python-oslo-middleware 3.23.1 Patches: - Ocata patch (https://bugzilla.redhat.com/attachment.cgi?id=1243810) - Newton patch (https://bugzilla.redhat.com/attachment.cgi?id=1243811) - Mitaka patch (https://bugzilla.redhat.com/attachment.cgi?id=1243812) Related Links Public Disclosure: - https://lists.openstack.org/pipermail/openstack-announce/2017-January/002002.html Upstream Bug: - https://bugs.launchpad.net/keystonemiddleware/+bug/1628031 Security Advisories: - Red Hat OpenStack Platform 10.0 (Newton) - RHSA-2017:0300 (https://rhn.redhat.com/errata/RHSA-2017-0300.html) - Red Hat OpenStack Platform 9.0 (Mitaka) - RHSA-2017:0435 (https://rhn.redhat.com/errata/RHSA-2017-0435.html)

Goal Reached Thanks to every supporter — we hit 100%!

OpenStack oslo.middleware Sensitive Data Leakage via Error Logs (CVE-2017-2592)