Bug 1512365 (CVE-2017-15113)

Summary: CVE-2017-15113 ovirt-engine: DEBUG logging includes unmasked passwords
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bmcclain, dblechte, dougsland, eedri, extras-orphan, juan.hernandez, lsurette, mgoldboi, michal.skrivanek, nobody, rbalakri, Rhev-m-bugs, security-response-team, sherold, srevivo, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-engine 4.1.7.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-13 02:50:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1513329, 1513331    
Bug Blocks: 1511511    

Description Doran Moppert 2017-11-13 02:33:05 UTC 
It was discovered that with log level set to "DEBUG", ovirt-engine includes
passwords in the log file without masking.

Note that only administrators can change the log level, and only administrators
can access logs. This presents a risk when debug-level logs are shared with
vendors etc to troubleshoot issues.

Upstream patch:

https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commitdiff;h=f4a5d0cc772127dbfe40789e26c4633ceea07d14;hp=e6e8704ac9eb115624ff66e2965877d8e63a45f4
Comment 1 Doran Moppert 2017-11-13 02:33:16 UTC 
Acknowledgments:

Name: Jiri Belka (Red Hat)
Comment 2 Doran Moppert 2017-11-13 02:50:12 UTC 
This was addressed in ovirt-engine-4.1.7.6-0.1:

https://access.redhat.com/errata/RHEA-2017:3138
Comment 4 Doran Moppert 2017-11-15 08:34:33 UTC 
Created ovirt-engine tracking bugs for this issue:

Affects: fedora-all [bug 1513331]