Vulnerability CVE-2017-7214

Vulnerability Name:

CVE-2017-7214 (CCN-123591)

Assigned:

2017-03-16

Published:

2017-03-16

Updated:

2018-01-05

Summary:

An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-532

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2017-7214

Source: CCN
Type: IBM Security Bulletin T1025340 (Cloud Manager with Openstack)
OpenStack Nova vulnerability affects IBM Cloud Manager with OpenStack (CVE-2017-7214)

Source: CCN
Type: IBM Security Bulletin N1022011 (PowerVC Standard Edition)
IBM PowerVC is affected by vulnerability in OpenStack Nova (CVE-2017-7214)

Source: BID
Type: Third Party Advisory, VDB Entry
96998

Source: CCN
Type: BID-96998
OpenStack Nova CVE-2017-7214 Information Disclosure Vulnerability

Source: REDHAT
Type: UNKNOWN
RHSA-2017:1508

Source: REDHAT
Type: UNKNOWN
RHSA-2017:1595

Source: CCN
Type: Launchpad Bug #1673569
Failed notification payload is dumped in logs with auth secrets (CVE-2017-7214)

Source: XF
Type: UNKNOWN
openstack-nova-cve20177214-info-disc(123591)

Source: CCN
Type: OpenStack Security Advisories
OSSA-2017-002 (CVE-2017-7214)

Source: CONFIRM
Type: Patch, Third Party Advisory
https://launchpad.net/bugs/1673569

Vulnerable Configuration:

Configuration 1:

cpe:/a:openstack:nova:13.0.0:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:13.1.0:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:13.1.1:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:13.1.2:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:13.1.3:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:14.0.0:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:14.0.1:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:14.0.2:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:14.0.3:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:14.0.4:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:15.0.0:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:15.0.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:openstack:nova:13.1.3:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:14.0.4:*:*:*:*:*:*:*

OR cpe:/a:openstack:nova:15.0.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20177214	V	CVE-2017-7214	2022-05-20
oval:org.opensuse.security:def:57115	P	Security update for strongswan (Important)	2021-10-19
oval:org.opensuse.security:def:57983	P	Security update for djvulibre (Important)	2021-08-05
oval:org.opensuse.security:def:57959	P	Security update for arpwatch (Important)	2021-06-28
oval:org.opensuse.security:def:57009	P	Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)	2021-06-04
oval:org.opensuse.security:def:57909	P	Security update for java-1_7_0-openjdk (Moderate)	2021-04-29
oval:org.opensuse.security:def:57566	P	Security update for python (Moderate)	2021-03-16
oval:org.opensuse.security:def:57674	P	avahi on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56458	P	Security update for spice (Important)	2020-12-01
oval:org.opensuse.security:def:57766	P	libXext6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56598	P	Security update for gd (Moderate)	2020-12-01
oval:org.opensuse.security:def:57281	P	Security update for xorg-x11-libXp	2020-12-01
oval:org.opensuse.security:def:56435	P	Security update for libplist (Moderate)	2020-12-01
oval:org.opensuse.security:def:57840	P	libpoppler44 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56836	P	Security update for libssh2_org (Moderate)	2020-12-01
oval:org.opensuse.security:def:56436	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:57878	P	mailman on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:80618	P	Security update for several openstack-components (Important)	2017-05-30
oval:com.ubuntu.precise:def:20177214000	V	CVE-2017-7214 on Ubuntu 12.04 LTS (precise) - medium.	2017-03-21
oval:com.ubuntu.xenial:def:201772140000000	V	CVE-2017-7214 on Ubuntu 16.04 LTS (xenial) - medium.	2017-03-21
oval:com.ubuntu.trusty:def:20177214000	V	CVE-2017-7214 on Ubuntu 14.04 LTS (trusty) - medium.	2017-03-21
oval:com.ubuntu.xenial:def:20177214000	V	CVE-2017-7214 on Ubuntu 16.04 LTS (xenial) - medium.	2017-03-21

BACK