Vulnerability Name:

CVE-2014-7230 (CCN-96725)

Assigned:2014-09-29
Published:2014-09-29
Updated:2018-11-16
Summary:The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.
CVSS v3 Severity:4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2014-7230

Source: REDHAT
Type: Third Party Advisory
RHSA-2014:1939

Source: CCN
Type: oss-security Mailing List, Mon, 29 Sep 2014 22:39:40 -0400 (EDT)
Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20140929 Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove

Source: CCN
Type: oss-security Mailing List, Wed, 15 Oct 2014 14:06:23 -0400
[OSSA 2014-036] Potential leak of passwords into log files (CVE-2014-7230, CVE-2014-7231)

Source: CCN
Type: IBM Security Bulletin T1022026
IBM Cloud Manager with OpenStack Vulnerabilities (CVE-2014-7230 CVE-2014-7231 CVE-2014-7144 CVE-2014-3641 CVE-2014-3608)

Source: CCN
Type: IBM Security Bulletin N1020612
IBM PowerVC is Impacted by OpenStack Cinder and Nova Information Disclosure (CVE-2014-7230, CVE-2014-7231)

Source: CCN
Type: IBM Security Bulletin 1698837
Multiple Vulnerabilities in IBM SmartCloud Orchestrator, IBM SmartCloud Orchestrator Enterprise and bundling products (CVE-2015-2808, CVE-2015-0138, CVE-2014-8730, CVE-2014-3566, and others).

Source: CCN
Type: IBM Security Bulletin 1961009
Multiple vulnerabilities have been identified in IBM SmartCloud Provisioning and bundling products

Source: BID
Type: Third Party Advisory, VDB Entry
70185

Source: CCN
Type: BID-70185
OpenStack Cinder/Nova/Trove CVE-2014-7230 Local Password Disclosure Vulnerability

Source: UBUNTU
Type: Third Party Advisory
USN-2405-1

Source: CCN
Type: OSSA 2014-036
Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)

Source: CONFIRM
Type: Third Party Advisory
https://bugs.launchpad.net/oslo-incubator/+bug/1343604

Source: CCN
Type: Red Hat Bugzilla Bug 1147722
(CVE-2014-7230, CVE-2014-7231) CVE-2014-7230 CVE-2014-7231 OpenStack Cinder, Nova, Trove: potential leak of passwords into log files

Source: XF
Type: Third Party Advisory, VDB Entry
openstack-cinder-cve20147230-info-disc(96725)

Source: XF
Type: UNKNOWN
openstack-cinder-cve20147230-info-disc(96725)

Source: CCN
Type: Openstack GIT Repository
Sync latest process and str utils from oslo

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openstack:cinder:*:*:*:*:*:*:*:* (Version >= 2013.2 and < 2013.2.4)
  • OR cpe:/a:openstack:cinder:*:*:*:*:*:*:*:* (Version >= 2014.1 and < 2014.1.3)
  • OR cpe:/a:openstack:nova:*:*:*:*:*:*:*:* (Version >= 2013.2 and < 2013.2.4)
  • OR cpe:/a:openstack:nova:*:*:*:*:*:*:*:* (Version >= 2014.1 and < 2014.1.3)
  • OR cpe:/a:openstack:trove:*:*:*:*:*:*:*:* (Version >= 2013.2 and < 2013.2.4)
  • OR cpe:/a:openstack:trove:*:*:*:*:*:*:*:* (Version >= 2014.1 and < 2014.1.3)

    • Configuration 2:
  • cpe:/a:redhat:openstack:5.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

    • Configuration CCN 1:
  • cpe:/a:openstack:cinder:2013.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:cinder:2014.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:nova:2013.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:nova:2014.1:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:nova:2014.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:trove:2013.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:trove:2014.1.2:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:smartcloud_provisioning:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:smartcloud_provisioning:2.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:powervc:1.2.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:powervc:1.2.1.0:-:-:-:standard:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.3.0.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:55240
    P
    		Security update for libesmtp (Important)
    2021-09-02
    oval:org.opensuse.security:def:55232
    P
    		Security update for fetchmail (Moderate)
    2021-08-18
    oval:org.opensuse.security:def:55925
    P
    		Security update for MozillaFirefox (Important)
    2021-07-16
    oval:org.opensuse.security:def:55923
    P
    		Security update for openexr (Important)
    2021-06-24
    oval:org.opensuse.security:def:55915
    P
    		Security update for java-1_8_0-openjdk (Moderate)
    2021-06-15
    oval:org.opensuse.security:def:55242
    P
    		Security update for openvswitch (Important)
    2021-02-03
    oval:org.opensuse.security:def:55102
    P
    		evince on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56601
    P
    		Security update for wireshark (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55077
    P
    		coreutils on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56474
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:56210
    P
    		Security update for ceph (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55757
    P
    		Security update for ldb, samba, talloc, tdb, tevent (Important)
    2020-12-01
    oval:org.opensuse.security:def:55470
    P
    		Security update for cups, cups154 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55080
    P
    		cracklib on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56520
    P
    		Security update for postgresql96 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56400
    P
    		Security update for krb5 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55651
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:56603
    P
    		Security update for ncurses (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55079
    P
    		cpp48 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56482
    P
    		Security update for SuSEfirewall2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56308
    P
    		Security update for libplist (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55759
    P
    		Security update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nspr, mozilla-nss (Important)
    2020-12-01
    oval:org.opensuse.security:def:55478
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:55092
    P
    		dia on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56522
    P
    		Security update for rsync (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56408
    P
    		Security update for gwenhywfar (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56200
    P
    		Security update for libwpd (Important)
    2020-12-01
    oval:org.opensuse.security:def:55653
    P
    		Security update for LibreOffice (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55070
    P
    		busybox on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56484
    P
    		Security update for krb5 (Important)
    2020-12-01
    oval:org.opensuse.security:def:56316
    P
    		Security update for wireshark (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55480
    P
    		Security update for compat-openssl098 (Important)
    2020-12-01
    oval:org.opensuse.security:def:55100
    P
    		empathy on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56593
    P
    		Security update for liblouis (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55069
    P
    		bogofilter on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56410
    P
    		Security update for openssl (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56208
    P
    		Security update for java-1_8_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:55749
    P
    		Security update for xscreensaver (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55078
    P
    		cpio on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56512
    P
    		Security update for glibc (Important)
    2020-12-01
    oval:org.opensuse.security:def:56318
    P
    		Security update for libxml2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55643
    P
    		Security update for openssl (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:20147230
    V
    		CVE-2014-7230
    2020-11-28
    oval:org.mitre.oval:def:28233
    P
    		USN-2407-1 -- OpenStack Nova vulnerabilities
    2014-12-29
    oval:org.mitre.oval:def:27770
    P
    		USN-2405-1 -- OpenStack Cinder vulnerabilities
    2014-12-29
    oval:com.ubuntu.artful:def:20147230000
    V
    		CVE-2014-7230 on Ubuntu 17.10 (artful) - low.
    2014-10-08
    oval:com.ubuntu.xenial:def:201472300000000
    V
    		CVE-2014-7230 on Ubuntu 16.04 LTS (xenial) - low.
    2014-10-08
    oval:com.ubuntu.trusty:def:20147230000
    V
    		CVE-2014-7230 on Ubuntu 14.04 LTS (trusty) - low.
    2014-10-08
    oval:com.ubuntu.bionic:def:20147230000
    V
    		CVE-2014-7230 on Ubuntu 18.04 LTS (bionic) - low.
    2014-10-08
    oval:com.ubuntu.disco:def:201472300000000
    V
    		CVE-2014-7230 on Ubuntu 19.04 (disco) - low.
    2014-10-08
    oval:com.ubuntu.xenial:def:20147230000
    V
    		CVE-2014-7230 on Ubuntu 16.04 LTS (xenial) - low.
    2014-10-08
    oval:com.ubuntu.cosmic:def:201472300000000
    V
    		CVE-2014-7230 on Ubuntu 18.10 (cosmic) - low.
    2014-10-08
    oval:com.ubuntu.cosmic:def:20147230000
    V
    		CVE-2014-7230 on Ubuntu 18.10 (cosmic) - low.
    2014-10-08
    oval:com.ubuntu.bionic:def:201472300000000
    V
    		CVE-2014-7230 on Ubuntu 18.04 LTS (bionic) - low.
    2014-10-08
    oval:com.ubuntu.precise:def:20147230000
    V
    		CVE-2014-7230 on Ubuntu 12.04 LTS (precise) - low.
    2014-10-08
    BACK
    openstack cinder *
    openstack cinder *
    openstack nova *
    openstack nova *
    openstack trove *
    openstack trove *
    redhat openstack 5.0
    canonical ubuntu linux 14.04
    openstack cinder 2013.2.3
    openstack cinder 2014.1.2
    openstack nova 2013.2.3
    openstack nova 2014.1
    openstack nova 2014.1.2
    openstack trove 2013.2.3
    openstack trove 2014.1.2
    ibm smartcloud provisioning 2.1.0
    ibm smartcloud provisioning 2.1.0.1
    ibm powervc 1.2.0.0
    ibm cloud orchestrator 2.3
    ibm powervc 1.2.1.0 -
    ibm cloud orchestrator 2.3.0.1