Headline
CVE-2017-2621: 1420990 – (CVE-2017-2621) CVE-2017-2621 openstack-heat: /var/log/heat/ is world readable
An access-control flaw was found in the OpenStack Orchestration (heat) service before 8.0.0, 6.1.0 and 7.0.2 where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information.
Description Summer Long 2017-02-10 04:46:10 UTC
The directory /var/log/heat is world readable and contains log files that are readable, which can result in the exposure of sensitive information. The ‘other readable/execute’ bits need to be removed from the /var/log/heat directory:
[stack@instack ~]$ ls -la /var/log/heat total 39376 drwxr-xr-x. 2 heat root 4096 Feb 9 01:07 . drwxr-xr-x. 31 root root 4096 Feb 9 01:02 … -rw-r–r--. 1 heat heat 201578 Feb 9 20:09 heat-api-cfn.log -rw-r–r--. 1 heat heat 4899693 Feb 9 20:09 heat-api.log -rw-r–r--. 1 heat heat 35193112 Feb 9 23:40 heat-engine.log
Comment 1 Summer Long 2017-02-10 05:07:35 UTC
Acknowledgments:
Name: Hans Feldt (Ericsson)
Comment 3 Summer Long 2017-02-14 22:23:48 UTC
Created openstack-heat tracking bugs for this issue:
Affects: openstack-rdo [bug 1422265]