CVE-2019-3866
First published: Tue Nov 05 2019(Updated: )
A vulnerability was discovered that all the data from the TripleO heat stack (user provided and generated passwords, certificates, ssh keys) are available in the mistral logs on the undercloud, in clear text.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openstack-mistral | <0:9.0.2-0.20191125120837.6651519.el8 | 0:9.0.2-0.20191125120837.6651519.el8 |
| Redhat Openstack-mistral | ||
| Redhat Openstack | =10 | |
| Redhat Openstack | =13 | |
| Redhat Openstack | =14 | |
| Redhat Openstack | =15 |
Remedy
Plain text information can be masked by ensuring that all mistral log files are not world readable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3866
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1770043
- https://bugs.launchpad.net/tripleo/+bug/1850843
- https://launchpadlibrarian.net/449472809/0001-Ensure-we-mask-sensitive-data-from-Mistral-Action-lo.patch
- https://launchpadlibrarian.net/449473654/0001-Ensure-we-mask-sensitive-data-from-Mistral-Action-lo.patch
- https://access.redhat.com/errata/RHSA-2021:0420
- https://access.redhat.com/security/cve/cve-2019-3866
- https://bugzilla.redhat.com/show_bug.cgi?id=1768731
- https://www.cve.org/CVERecord?id=CVE-2019-3866 https://nvd.nist.gov/vuln/detail/CVE-2019-3866
- https://access.redhat.com/errata/RHEA-2020:0283
Frequently Asked Questions
What is CVE-2019-3866?
CVE-2019-3866 is an information-exposure vulnerability in openstack-mistral.
What is the severity of CVE-2019-3866?
CVE-2019-3866 has a severity score of 5.9 (medium).
How can a malicious system user exploit CVE-2019-3866?
A malicious system user could exploit CVE-2019-3866 by accessing sensitive user information stored in openstack-mistral's undercloud log files.
Which versions of openstack-mistral are affected by CVE-2019-3866?
Versions 7.1.0 up to 9.0.1 of openstack-mistral are affected by CVE-2019-3866.
How can I fix CVE-2019-3866?
To fix CVE-2019-3866, upgrade to version 9.0.2 or later of openstack-mistral.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-3866
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/redhat
- canonical/redhat openstack-mistral
- canonical/redhat openstack
- version/redhat openstack/10
- version/redhat openstack/13
- version/redhat openstack/14
- version/redhat openstack/15