Red Hat update for Red Hat Enterprise Linux OpenStack Platform

1) Information disclosure

EUVDB-ID: #VU16629

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16876

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to the affected software does not honor the no_log flag for failed tasks with vvv+ mode enabled. A remote attacker can send a specially crafted request to a targeted system via a connection plug-in that is designed to trigger connection exceptions, which could cause task information to be logged and access sensitive information, which could be used to conduct further attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat OpenStack Director Deployment Tools: 13.0

Red Hat OpenStack for IBM Power: 13.0

Red Hat OpenStack: 13.0

Red Hat Enterprise Linux Desktop: 7

Red Hat Enterprise Linux Workstation: 7

Red Hat Enterprise Linux Server: 7

CPE2.3

• cpe:2.3:a:red_hat:red_hat_openstack_director_deployment_tools:13.0:*:*:*:*:*:*:
• cpe:2.3:a:red_hat:red_hat_openstack_for_ibm_power:13.0:*:*:*:*:*:*:
• cpe:2.3:a:red_hat:red_hat_openstack:13.0:*:*:*:*:*:*:
• cpe:2.3:o:red_hat:red_hat_enterprise_linux_desktop:7:*:*:*:*:red_hat_enterprise_linux:*:
• cpe:2.3:o:red_hat:red_hat_enterprise_linux_workstation:7:*:*:*:*:red_hat_enterprise_linux:*:
• cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:7:*:*:*:*:red_hat_enterprise_linux:*:

External links

http://access.redhat.com/errata/RHSA-2019:0564

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.