CVE-2017-7214 — OpenStack Nova logs sensitive context from notification exceptions

Description

An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens.

How to fix CVE-2017-7214

To remediate CVE-2017-7214, upgrade the affected package to a fixed version below.

—upgrade to 2:14.0.0-4 or later
—upgrade to 13.1.4 or later

Is CVE-2017-7214 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2:14.0.0-4
>= 13.0.0, < 13.1.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-7214
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-7214
PATCHgithub.com/openstack/nova
WEBaccess.redhat.com/errata/RHSA-2017:1508
WEBaccess.redhat.com