Vulnerability CVE-2017-2592

Vulnerability Name:

CVE-2017-2592 (CCN-123956)

Assigned:

2016-12-01

Published:

2017-02-22

Updated:

2019-10-09

Summary:

python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulnerable to an information disclosure. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component error logs (for example, keystone tokens).

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-532

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2017-2592

Source: CONFIRM
Type: Patch, Vendor Advisory
http://lists.openstack.org/pipermail/openstack-announce/2017-January/002002.html

Source: REDHAT
Type: Third Party Advisory
RHSA-2017:0300

Source: CCN
Type: RHSA-2017-0435
Moderate: python-oslo-middleware security update

Source: REDHAT
Type: Third Party Advisory
RHSA-2017:0435

Source: CCN
Type: IBM Security Bulletin N1022229 (PowerVC Standard Edition)
IBM PowerVC is impacted by python oslo.middleware package information disclosure (CVE-2017-2592)

Source: CCN
Type: IBM Security Bulletin S1010471 (Spectrum Scale)
IBM Spectrum Scale Object Protocols functionality is affected by a security vulnerability in Python (CVE-2017-2592)

Source: BID
Type: Third Party Advisory, VDB Entry
95827

Source: CCN
Type: BID-95827
OpenStack oslo.middleware CVE-2017-2592 Information Disclosure Vulnerability

Source: CONFIRM
Type: Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0300

Source: CONFIRM
Type: Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0435

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://bugs.launchpad.net/keystonemiddleware/+bug/1628031

Source: CCN
Type: Red Hat Bugzilla
Bug 1414698 - (CVE-2017-2592) CVE-2017-2592 python-oslo-middleware: CatchErrors leaks sensitive values into error log

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2592

Source: XF
Type: UNKNOWN
python-cve20172592-info-disc(123956)

Source: CCN
Type: Python Package Index
oslo.middleware 3.24.0

Source: MISC
Type: Issue Tracking, Patch, Vendor Advisory
https://review.openstack.org/#/c/425730/

Source: MISC
Type: Issue Tracking, Patch, Vendor Advisory
https://review.openstack.org/#/c/425732/

Source: MISC
Type: Issue Tracking, Patch, Vendor Advisory
https://review.openstack.org/#/c/425734/

Source: UBUNTU
Type: Third Party Advisory
USN-3666-1

Vulnerable Configuration:

Configuration 1:

cpe:/a:openstack:oslo.middleware:*:*:*:*:*:*:*:* (Version <= 3.8.0)

OR cpe:/a:openstack:oslo.middleware:*:*:*:*:*:*:*:* (Version >= 3.9.0 and <= 3.19.0)

OR cpe:/a:openstack:oslo.middleware:*:*:*:*:*:*:*:* (Version >= 3.20.0 and <= 3.23.0)

Configuration 2:

cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20172592	V	CVE-2017-2592	2022-05-20
oval:org.opensuse.security:def:58055	P	Security update for webkit2gtk3 (Important)	2021-12-01
oval:org.opensuse.security:def:58031	P	Security update for strongswan (Important)	2021-10-19
oval:org.opensuse.security:def:57113	P	Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)	2021-10-18
oval:org.opensuse.security:def:57081	P	Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)	2021-08-25
oval:org.opensuse.security:def:57981	P	Security update for dbus-1 (Important)	2021-08-02
oval:org.opensuse.security:def:57957	P	Security update for openexr (Important)	2021-06-24
oval:org.opensuse.security:def:57950	P	Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)	2021-06-18
oval:org.opensuse.security:def:57007	P	Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)	2021-06-04
oval:org.opensuse.security:def:55192	P	Security update for djvulibre (Important)	2021-05-31
oval:org.opensuse.security:def:57912	P	Security update for samba (Important)	2021-05-04
oval:org.opensuse.security:def:56015	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:57907	P	Security update for gdm (Important)	2021-04-28
oval:org.opensuse.security:def:55170	P	Security update for clamav (Important)	2021-04-14
oval:org.opensuse.security:def:55169	P	Security update for xorg-x11-server (Important)	2021-04-14
oval:org.opensuse.security:def:57187	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)	2021-03-17
oval:org.opensuse.security:def:57564	P	Security update for wpa_supplicant (Important)	2021-03-09
oval:org.opensuse.security:def:55849	P	Security update for bind (Important)	2021-02-18
oval:org.opensuse.security:def:57838	P	Security update for openssl (Important)	2020-12-11
oval:org.opensuse.security:def:56908	P	Security update for xen (Important)	2020-12-07
oval:org.opensuse.security:def:55743	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:56530	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:56433	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:56574	P	Security update for util-linux (Moderate)	2020-12-01
oval:org.opensuse.security:def:57638	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:55570	P	Security update for binutils (Moderate)	2020-12-01
oval:org.opensuse.security:def:56508	P	Security update for gdk-pixbuf (Low)	2020-12-01
oval:org.opensuse.security:def:56500	P	Security update for openssh (Moderate)	2020-12-01
oval:org.opensuse.security:def:57353	P	Security update for foomatic-filters (Moderate)	2020-12-01
oval:org.opensuse.security:def:55332	P	mutt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56507	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:56408	P	Security update for gwenhywfar (Moderate)	2020-12-01
oval:org.opensuse.security:def:56834	P	Security update for libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:56693	P	Security update for p7zip (Important)	2020-12-01
oval:org.opensuse.security:def:57764	P	libXRes1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56300	P	Security update for MozillaFirefox, mozilla-nss, mozilla-nspr, java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:56596	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:56612	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:57672	P	autofs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56456	P	Security update for emacs (Important)	2020-12-01
oval:org.opensuse.security:def:56670	P	Security update for exiv2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:56434	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:57876	P	logrotate on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:57746	P	iputils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:57279	P	Security update for xorg-x11-libXext	2020-12-01
oval:org.opensuse.security:def:80690	P	Security update for python-oslo.cache, python-oslo.concurrency, python-oslo.db, python-oslo.log, python-oslo.messaging, python-oslo.middleware, python-oslo.serialization, python-oslo.service, python-oslo.utils, python-oslo.versionedobjects, python-oslo.vmware, python-oslotest (Moderate)	2018-11-27
oval:com.ubuntu.artful:def:20172592000	V	CVE-2017-2592 on Ubuntu 17.10 (artful) - low.	2018-05-08
oval:com.ubuntu.bionic:def:201725920000000	V	CVE-2017-2592 on Ubuntu 18.04 LTS (bionic) - low.	2018-05-08
oval:com.ubuntu.bionic:def:20172592000	V	CVE-2017-2592 on Ubuntu 18.04 LTS (bionic) - low.	2018-05-08
oval:com.ubuntu.xenial:def:201725920000000	V	CVE-2017-2592 on Ubuntu 16.04 LTS (xenial) - low.	2018-05-08
oval:com.ubuntu.xenial:def:20172592000	V	CVE-2017-2592 on Ubuntu 16.04 LTS (xenial) - low.	2018-05-08
oval:org.opensuse.security:def:80616	P	Security update for python-oslo.middleware (Moderate)	2017-04-19

BACK