python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulnerable to an information disclosure. Software using the CatchError class could include sensitive values in a tracebacks error message. System users could exploit this flaw to obtain sensitive information from OpenStack component error logs (for example, keystone tokens).
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Oslo.middleware | Openstack | * | 3.8.0 (including) |
| Oslo.middleware | Openstack | 3.9.0 (including) | 3.19.0 (including) |
| Oslo.middleware | Openstack | 3.20.0 (including) | 3.23.0 (including) |
| Red Hat OpenStack Platform 10.0 (Newton) | RedHat | python-oslo-middleware-0:3.19.0-1.2.el7ost | * |
| Red Hat OpenStack Platform 9.0 (Mitaka) | RedHat | python-oslo-middleware-0:3.7.0-2.el7ost | * |
| Python-oslo.middleware | Ubuntu | upstream | * |
| Python-oslo.middleware | Ubuntu | xenial | * |
| Python-oslo.middleware | Ubuntu | yakkety | * |
While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for: