CVE-2017-2622

Vulnerability

CVE-2017-2622 is an accessibility flaw in OpenStack Workflow (mistral) where the service log directory /var/log/mistral/ was created with world-readable permissions. This affects openstack-mistral versions prior to 3.0.2-11.el7ost in Red Hat OpenStack Platform 10.0 (Newton) and likely other distributions. The misconfiguration allows any local user on the system to read log files that may contain sensitive information [1] [2].

Exploitation

An attacker needs only local user access to the host running the mistral service. No authentication against the OpenStack API is required; the attacker simply lists the contents of /var/log/mistral/ and reads any log files present. The flaw is a file-permission issue, so there is no race condition or user interaction needed beyond having system-level shell access [1].

Impact

A malicious local user can read log files that may contain passwords, tokens, or other confidential data used by the mistral workflow service. The compromise is limited to information disclosure—the attacker gains no code execution or privilege escalation directly from this flaw, but the exposed credentials could enable further attacks within the OpenStack environment [1] [2].

Mitigation

Red Hat released the fix in RHSA-2017:1584 on 2017-06-28, updating openstack-mistral to version 3.0.2. The fix corrects the permissions on /var/log/mistral/ to restrict read access to the mistral user only. Users should apply the update or manually set restrictive permissions (e.g., chmod 750 /var/log/mistral/) as an immediate workaround. No KEV listing exists for this CVE [2].