An insecure-credentials flaw was found in all openstack-cinder versions
before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before
openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before
openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC
ScaleIO or VxFlex OS backend storage driver, credentials for the entire
backend are exposed in the ``connection_info`` element in all Block Storage
v3 Attachments API calls containing that element. This flaw enables an
end-user to create a volume, make an API call to show the attachment detail
information, and retrieve a username and password that may be used to
connect to another user's volume. Additionally, these credentials are valid
for the ScaleIO or VxFlex OS Management API, should an attacker discover
the Management API endpoint. Source: OpenStack project
mdeslaurFixing this moves VxFlex OS passwords from the
block_device_mapping table to a file called

From python-os-brick patch:
It requires that a configuration file be deployed on compute
nodes, cinder nodes, and anywhere you would perform a volume
attachment in your deployment, when using Cinder with a Dell
EMC VxFlex OS backend.

If we fix this in stable releases, it will break environments
until the new configuration file is deployed.
Upstream:released (14.1.0,15.2.0,16.1.0)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):released (2:12.0.9-0ubuntu1.2)
Ubuntu 20.04 LTS (Focal Fossa):released (2:16.1.0-0ubuntu1)
Ubuntu 20.10 (Groovy Gorilla):needed
More Information

Updated: 2020-07-28 18:59:48 UTC (commit 7b6828437fde0509248708fcdb5b0f7587b85bd1)