ESA-26: Sensitive Information in the Eucalyptus Log Files
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-26
Issue Date: 2014-10-20
Last Updated: 2014-11-03
Severity Level: Low
Affected Versions: Eucalyptus 3.0.0 to Eucalyptus 4.0.1
CVE Number: CVE-2014-5038
====================================================================
OVERVIEW
------------
A security issue has been identified in Eucalyptus 3.0.0 to 4.0.1 where a security-sensitive information was written into Eucalyptus log files on the user facing services (UFS) components. An update is now available in 4.0.2 that resolves this issue.
DESCRIPTION
-------------
It was found that cloud log files on UFS components can contain security-sensitive information including user passwords at the DEBUG and lower logging levels. Disclosure of user or system passwords could allow someone to gain access to Eucalyptus resources, and potentially allow access to resources outside of Eucalyptus if passwords are reused.
SOLUTION
-------------
Using logging levels lower than INFO is not recommended and should not be used in production-level deployments. Eucalyptus 4.0.2 resolves this issue completely by removing logging of sensitive data at all log levels. Please see
http://www.eucalyptus.com/download/eucalyptus for instructions on downloading and upgrading to the latest Eucalyptus software.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at
secu...@eucalyptus.com.