Information disclosure in Red Hat OpenStack

#VU6609 Information disclosure in Red Hat OpenStack

Published: 2017-05-19

Vulnerability identifier: #VU6609

Vulnerability risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2621

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Red Hat OpenStack
Server applications / Other server solutions

Vendor: Red Hat Inc.

Description
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper security restrictions on the /var/log/heat directory. A local attacker can navigate to the /var/log/heat directory and gain access to important data such as log files.

Successful exploitation of the vulnerability results in information disclosure on the target system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Red Hat OpenStack: 10.0

External links
http://access.redhat.com/security/cve/CVE-2017-2621

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Two vulnerabilities in Red Hat OpenStack