Bug 2128834 (CVE-2022-3261)

Summary: CVE-2022-3261 openstack: plain-text passwords saved in /var/log/messages
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: askrabec, eglynn, gfidente, jjoyce, lhh, mburns, mgarciac, security-response-team, spower, vinair
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenStack. Multiple components show plain-text passwords in /var/log/messages during the OpenStack overcloud update run, leading to a disclosure of sensitive information problem.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-07 17:32:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2117459, 2128839    
Bug Blocks: 2121545, 2212327    

Description Sage McTaggart 2022-09-21 15:47:56 UTC 
Description of problem:

There are multiple components that shows the plain-text passwords in /var/log/messages during openstack overcloud update run.

{'command': ['/bin/bash', '-c', "/usr/bin/virsh secret-define --file /etc/nova/secret.xml && /usr/bin/virsh secret-set-value --secret '3E4DB0C9-EA6B-4A8E-B3E1-FF8D5B3D2643' --base64 'SGVsbG8gdGhlcmUgOi0pCg=='"]

/usr/bin/redis-cli -s /var/run/redis/redis.sock -a <password> info 

mysql --defaults-extra-file=/etc/my.cnf -nNE --connect-timeout=10 --user=clustercheck --password=<password> --host=localhost --port=3306 -e SHOW STATUS LIKE 'wsrep_local_state'; 

mysql -nNE --user=clustercheck --password=<password> -h localhost -e show status like 'wsrep_cluster_status';


Version-Release number of selected component (if applicable):

RHOSP16.2

How reproducible:

openstack overcloud update run

And check /var/log/messages

Actual results:

Passwords are visible in /var/log/messages

Expected results:

The passwords should be redacted or hidden otherwise.

Additional info:
Comment 3 Product Security DevOps Team 2022-12-07 17:32:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3261
Comment 4 Anten Skrabec 2023-06-06 19:29:20 UTC 
*** Bug 2212327 has been marked as a duplicate of this bug. ***
Comment 5 Anten Skrabec 2023-06-06 19:29:31 UTC 
*** Bug 2212531 has been marked as a duplicate of this bug. ***