Описание
The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.
A flaw was discovered in the pipeline ordering of OpenStack Object Storage's staticweb middleware in the swiftproxy configuration generated from the openstack-tripleo-heat-templates package (OpenStack director). The staticweb middleware was incorrectly configured before the Identity Service, and under some conditions an attacker could use this flaw to gain unauthenticated access to private data.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux OpenStack Platform 6 (Juno) | instack-undercloud | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 6 (Juno) | openstack-tripleo-heat-templates | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Director | inkstack-undercloud | Affected | ||
| Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7 | ahc-tools | Fixed | RHSA-2015:1862 | 08.10.2015 |
| Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7 | instack-undercloud | Fixed | RHSA-2015:1862 | 08.10.2015 |
| Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7 | openstack-ironic-discoverd | Fixed | RHSA-2015:1862 | 08.10.2015 |
| Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7 | openstack-tripleo-common | Fixed | RHSA-2015:1862 | 08.10.2015 |
| Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7 | openstack-tripleo-heat-templates | Fixed | RHSA-2015:1862 | 08.10.2015 |
| Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7 | openstack-tripleo-image-elements | Fixed | RHSA-2015:1862 | 08.10.2015 |
| Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7 | openstack-tripleo-puppet-elements | Fixed | RHSA-2015:1862 | 08.10.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.3 Medium
CVSS2
Связанные уязвимости
The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.
The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.
The TripleO Heat templates (tripleo-heat-templates) do not properly or ...
TripleO Heat templates might allow remote attackers to obtain sensitive information from private containers
EPSS
4.3 Medium
CVSS2