Bug 2224630 (CVE-2023-4065)

Summary: CVE-2023-4065 Red Hat AMQ Broker Operator: plaintext password in operator log
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ataylor, chazlett, dbruscin, jross, rkieley, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Red Hat AMQ Broker 7.11.1.OPR.2.GA Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2224626    

Description Chess Hazlett 2023-07-21 17:53:24 UTC 
The password defined in ActiveMQArtemisAddress CR is shown in plain text in the Operator Log. An authed attacker could use this flaw to access information outside of their permissions.
Comment 3 errata-xmlrpc 2023-08-23 14:44:14 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:4720 https://access.redhat.com/errata/RHSA-2023:4720