24 lines
1.1 KiB
YAML
24 lines
1.1 KiB
YAML
![]() |
---
|
||
|
security:
|
||
|
- |
|
||
|
`OSSA-2019-003`_: Nova Server Resource Faults Leak External Exception
|
||
|
Details (CVE-2019-14433)
|
||
|
|
||
|
This release contains a security fix for `bug 1837877`_ where users
|
||
|
without the admin role can be exposed to sensitive error details in
|
||
|
the server resource fault ``message``.
|
||
|
|
||
|
There is a behavior change where non-nova exceptions will only record
|
||
|
the exception class name in the fault ``message`` field which is exposed
|
||
|
to all users, regardless of the admin role.
|
||
|
|
||
|
The fault ``details``, which are only exposed to users with the admin role,
|
||
|
will continue to include the traceback and also include the exception
|
||
|
value which for non-nova exceptions is what used to be exposed in the
|
||
|
fault ``message`` field. Meaning, the information that admins could see
|
||
|
for server faults is still available, but the exception value may be in
|
||
|
``details`` rather than ``message`` now.
|
||
|
|
||
|
.. _OSSA-2019-003: https://security.openstack.org/ossa/OSSA-2019-003.html
|
||
|
.. _bug 1837877: https://bugs.launchpad.net/nova/+bug/1837877
|