Bug 1103324 (CVE-2014-3925)

Summary: CVE-2014-3925 sos: does not indicate data sent is potentially sensitive on Red Hat Enterprise Linux 5
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agk, bmr, gavin, jkurik, kroberts
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 14:58:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1065468    
Bug Blocks: 1101415    

Description Vincent Danen 2014-05-30 18:13:18 UTC 
As noted in bug #1102633, Red Hat Enterprise Linux 5 does not contain the following preamble when running sosreport:

"The generated archive may contain data considered sensitive and its
content should be reviewed by the originating organization before being
passed to any third party."

As a result, a user might assume that the contents of the sosreport archive are sanitized and do not contain any sensitive information.  While sosreport does try to remove some common files that contain passwords or other sensitive information (like kerberos keytabs, etc.), it's impossible to catch everything and it is never claimed that it does.

MITRE has assigned CVE-2014-3925 to the implementation of sosreport on Red Hat Enterprise Linux 5 precisely for this reason [1].

[1] http://www.openwall.com/lists/oss-security/2014/05/30/3
Comment 2 Vincent Danen 2015-08-22 14:58:17 UTC 
This was fixed in https://rhn.redhat.com/errata/RHBA-2014-1200.html


Statement:

This issue did not affect the versions of sosreport as shipped with Red Hat Enterprise Linux 6.