ESA-25: Sensitive Information in the Eucalyptus Requests Log
2 views
Skip to first unread message
Eucalyptus Security Team
Nov 3, 2014, 1:36:45 PM11/3/14
to security...@eucalyptus.com
ESA-25: Sensitive Information in the Eucalyptus Requests Log
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-25
Issue Date: 2014-10-20
Last Updated: 2014-11-03
Severity Level: Moderate
Affected Versions: Eucalyptus 4.0.0 to Eucalyptus 4.0.1
CVE Number: CVE-2014-5037
====================================================================
OVERVIEW
------------
A security issue has been identified in Eucalyptus 4.0.0 and 4.0.1 where security-sensitive information was written into Eucalyptus requests log files on user facing services (UFS) components. An update is now available in 4.0.2 that resolves this issue.
DESCRIPTION
-------------
As a part of request logging capabilities introduced in Eucalyptus 4.0.0, security-sensitive information has been logged in the cloud-requests.log log files at the INFO log level. It includes user passwords provided as a part of login profile management API calls as well as a subset of system credentials that can be set via the system properties management API (euca-modify-property). Disclosure of user or system passwords could allow someone to gain access to Eucalyptus resources, and potentially allow access to resources outside of Eucalyptus if passwords are reused. The issue was previously partially remediated by restricting access to the cloud requests logs to the local user ‘eucalyptus’ (or users with root privileges).
SOLUTION
-------------
Eucalyptus 4.0.2 resolves this issue by masking sensitive data prior to logging it in the cloud requests logs. Please see http://www.eucalyptus.com/download/eucalyptus for instructions on downloading and upgrading to the latest Eucalyptus software.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-25
Issue Date: 2014-10-20
Last Updated: 2014-11-03
Severity Level: Moderate
Affected Versions: Eucalyptus 4.0.0 to Eucalyptus 4.0.1
CVE Number: CVE-2014-5037
====================================================================
OVERVIEW
------------
A security issue has been identified in Eucalyptus 4.0.0 and 4.0.1 where security-sensitive information was written into Eucalyptus requests log files on user facing services (UFS) components. An update is now available in 4.0.2 that resolves this issue.
DESCRIPTION
-------------
As a part of request logging capabilities introduced in Eucalyptus 4.0.0, security-sensitive information has been logged in the cloud-requests.log log files at the INFO log level. It includes user passwords provided as a part of login profile management API calls as well as a subset of system credentials that can be set via the system properties management API (euca-modify-property). Disclosure of user or system passwords could allow someone to gain access to Eucalyptus resources, and potentially allow access to resources outside of Eucalyptus if passwords are reused. The issue was previously partially remediated by restricting access to the cloud requests logs to the local user ‘eucalyptus’ (or users with root privileges).
SOLUTION
-------------
Eucalyptus 4.0.2 resolves this issue by masking sensitive data prior to logging it in the cloud requests logs. Please see http://www.eucalyptus.com/download/eucalyptus for instructions on downloading and upgrading to the latest Eucalyptus software.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
Reply all
Reply to author
Forward
0 new messages