Adds OSSA-2016-002 (CVE-2015-8749)

Change-Id: I0ec105bd69ce7929b6cf10006e7b10e5d91782d8
2016-01-11 09:42:03 -08:00 · 2016-01-11 09:42:03 -08:00 · 7522bd8e85
commit 7522bd8e85
parent 2df8654a13
1 changed files with 52 additions and 0 deletions
--- a/ossa/OSSA-2016-002.yaml
+++ b/ossa/OSSA-2016-002.yaml
@ -0,0 +1,52 @@
+date: 2016-01-11
+
+id: OSSA-2016-002
+
+title: 'Xen connection password leak in logs via StorageError'
+
+description: 'Matt Riedemann from IBM reported an information disclosure
+    vulnerability in Nova. If a StorageError occurs when attempting to
+    connect a volume using the Xen API, the connection parameters will
+    be logged. These parameters may include credentials that are not
+    masked. An attacker with read access to Nova logs could use these
+    credentials with the Xen API directly. Only Nova deployments using
+    the Xen backend are affected by this flaw.'
+
+affected-products:
+
+  - product: nova
+    version: ">=2014.2 <= 2015.1.2, == 12.0.0"
+
+vulnerabilities:
+
+  - cve-id: CVE-2015-8749
+
+reporters:
+
+  - name: 'Matt Riedemann'
+    affiliation: IBM
+    reported:
+      - CVE-2015-8749
+
+issues:
+
+  links:
+    - https://bugs.launchpad.net/bugs/1516765
+  type: launchpad
+
+reviews:
+
+  mitaka:
+    - https://review.openstack.org/245987
+
+  liberty:
+    - https://review.openstack.org/247825
+
+  kilo:
+    - https://review.openstack.org/249239
+
+  type: gerrit
+
+notes:
+  - 'This fix will be included in future 2015.1.3 (kilo) and 12.0.1 (liberty)
+     releases.'