Bug 2244213

Summary: sos: Ansible Automation Platform collects customer passwords and tokens via sosreport
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: pmoravec
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2244214    
Bug Blocks: 2244215    

Description Nick Tait 2023-10-14 16:54:24 UTC 
When working with customer cases many Red Hat support employees regularly make use of a tool called "SOS report" [1]. This tool gathers various files that may be of interest to the supporter working a specific case to troubleshoot a customer issue.

Developers of this tool aim to obfuscate/remove all secrets, passwords and tokens that are present in these files. Unfortunately, we have been gathering the passwords of customers that are running Ansible Automation Platform on RHEL (possibly OpenShift too) for quite a while now.

The list of known erroneously gathered passwords/tokens/secrets are below. There may be others that have not yet been identified.
- Database password
- LDAP bind password
- Broadcast secret (Ansible Automation Platform specific)
- Email password (if notifications are enabled within the Ansible Automation Platform)

A fix is already in place upstream for both the Ansible Automation Platform Controller [2] and Ansible Automation Hub [3], which are both components of the Ansible Automation Platform.

[1]: https://access.redhat.com/solutions/3592
[2]: https://github.com/ansible/awx/pull/14557
[3]: https://github.com/sosreport/sos/pull/3379
Comment 1 Nick Tait 2023-10-14 16:56:07 UTC 
Created sos tracking bugs for this issue:

Affects: fedora-all [bug 2244214]