Bug 2158702

Summary: Satellite users with access to Virt-who Configurations can read out the 'Hypervisor Password ' from the input field
Product: Red Hat Satellite Reporter: Jayant Bhatia <jbhatia>
Component: Virt-who Configure PluginAssignee: Lucy Fu <lufu>
Status: CLOSED ERRATA QA Contact: yanpliu <yanpliu>
Severity: high Docs Contact:
Priority: high    
Version: 6.12.0CC: ahumbe, chrobert, jan.hohmann, lufu, mlele, paji, pcreech
Target Milestone: 6.14.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: https://projects.theforeman.org/issues/36460
Whiteboard:
Fixed In Version: rubygem-foreman_virt_who_configure-0.5.15-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-08 14:18:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jayant Bhatia 2023-01-06 07:47:37 UTC 
Description of problem:

Users logged in to Satellite WebUI who have access to the virt-who configuration mask (foreman_virt_who_configure/configs/1/edit) can read out the current password from the  'Hypervisor Password ' input field. 

This is a security incident because all Satellite administrators might not have access to VMware infrastructure and 'Hypervisor Password ' should not be exposed to them.


Version-Release number of selected component (if applicable): All Satellite versions


How reproducible: Always


Steps to Reproduce:

1.Navigate to Satellite WebUI -> infrastructure -> Virt-who configurations -> create a configuration filling all the details.

2. Navigate to Satellite WebUI -> infrastructure -> Virt-who configurations -> <Configuration-Name> -> Edit 

3. Place pointer on 'Hypervisor Password' field, right-click on the password field and click on "Inspect".

Actual results: The real password is shown in the value field of the input object.

Expected results: The input field "foreman_virt_who_configure_config[hypervisor_password]" should only contains dummy data.


Additional info: The web frontend of satellite is leaking this password. It would be great if satellite would use the same password input mechanism for virt-who as for the compute resources or the ldap binding accounts

/compute_resources/1-myvmware/edit#
/auth_source_ldaps/5-myldap/edit

If we go to Satellite WebUI -> Adminsiter -> Authentication Sources, you will not get the 'Account Password' in same way.
Comment 3 Brad Buckingham 2023-05-01 13:16:54 UTC 
*** Bug 1599675 has been marked as a duplicate of this bug. ***
Comment 4 Chris Roberts 2023-06-02 13:53:34 UTC 
This has an open PR so keep this one
Comment 5 Bryan Kearney 2023-06-06 04:02:48 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/36460 has been resolved.
Comment 11 errata-xmlrpc 2023-11-08 14:18:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.14 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6818