Bug 1683157
Summary: | CVE-2019-10194 ovirt-engine-metrics: disclosure of sensitive passwords in log files and ansible playbooks [rhev-m-4.3.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Avital Pinnick <apinnick> |
Component: | ovirt-engine-metrics | Assignee: | Shirly Radco <sradco> |
Status: | CLOSED ERRATA | QA Contact: | Ivana Saranova <isaranov> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 4.3.1 | CC: | asabadra, dmoppert, emarcus, jzmeskal, lleistne, lrock, lsvaty, mtessun, sradco |
Target Milestone: | ovirt-4.3.5-1 | Keywords: | SecurityTracking, ZStream |
Target Release: | 4.3.5 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ovirt-engine-metrics-1.3.3 | Doc Type: | No Doc Update |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-15 13:29:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Metrics | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1715513 | ||
Bug Blocks: | 1723786, 1726007 | ||
Deadline: | 2020-02-26 |
Description
Avital Pinnick
2019-02-26 10:53:21 UTC
I found several issues when inspecting the code: All the passwords are in plain text in these files: /usr/share/ansible/roles/oVirt.metrics/roles/oVirt.origin-on-ovirt/vars.yaml /usr/share/ansible/roles/oVirt.metrics/roles/oVirt.origin-on-ovirt/metrics_store_post_installation.yaml /usr/share/ansible/roles/oVirt.metrics/roles/oVirt.origin-on-ovirt/files/vars.yaml /usr/share/ansible/roles/oVirt.metrics/roles/oVirt.origin-on-ovirt/files/metrics_store_post_installation.yaml Tested in: ovirt-engine-metrics-1.2.1.3-1.el7ev.noarch Installation failed on this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1697521 Tested in: ovirt-engine-metrics-1.3.0.1-1.el7ev.noarch ovirt-engine-4.3.3.1-0.1.el7.noarch There is still missing `no_log: true` in the metrics_post_installation.yml for the task [Assign the password immediately without login]. Running the install_okd.yml playbook with -vvv makes the password visible in plaintext in the log of the task. Tested in: ovirt-engine-4.2.8.5-0.1.el7ev.noarch ovirt-engine-metrics-1.2.2.2-1.el7ev.noarch Also tested in: ovirt-engine-4.3.3.1-0.1.el7.noarch ovirt-engine-metrics-1.3.0.1-1.el7ev.noarch Cannot verify due to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1715513 A change was made (new impact, public date, or CSAw status) to the security issue(s) blocked by this tracker, resulting in a new SLA deadline. This bug must now be resolved by 26-Feb-2020. Refer to this bug's Description for information about how to resolve this bug. Steps: 1) Install metrics store according to the documentation 2) Run all the installation scripts in verbose mode and save the logs 3) Check that none of the logs or files generated by the installation contain any of the passwords used in the secure-vars.yaml file Results: No passwords in plaintext generated by installation Verified in: ovirt-engine-4.3.5.4-0.1.el7.noarch ansible-2.8.3-1.el7ae.noarch ovirt-engine-metrics-1.3.3.3-1.el7.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2499 |