Bug 1283019 (CVE-2015-7502) - CVE-2015-7502 CloudForms: insecure password storage in PostgreSQL database
Summary: CVE-2015-7502 CloudForms: insecure password storage in PostgreSQL database
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-7502
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1283325 1283367 1283369
Blocks: 1283021
TreeView+ depends on / blocked
 
Reported: 2015-11-18 04:07 UTC by Kurt Seifried
Modified: 2019-09-29 13:40 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A privilege escalation flaw was discovered in CloudForms, where in certain situations, CloudForms could read encrypted data from the database and then write decrypted data back into the database. If the database was then exported or log files generated, a local attacker might be able to gain access to sensitive information.
Clone Of:
Environment:
Last Closed: 2015-12-16 17:06:00 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2551 0 normal SHIPPED_LIVE Moderate: CFME 5.5.0 bug fixes and enhancement update 2015-12-08 17:58:09 UTC
Red Hat Product Errata RHSA-2015:2620 0 normal SHIPPED_LIVE Moderate: CFME 5.4.4 bug fixes, and enhancement update 2015-12-16 18:18:32 UTC

Description Kurt Seifried 2015-11-18 04:07:14 UTC
It is reported that CloudForms fails to protect potentially sensitive data 
stored in the backend PostgreSQL database. This is due to encrypted data being decrypted and then stashed in data structures which may be inadvertently exposed (e.g. through database log files).

Comment 4 errata-xmlrpc 2015-12-08 13:48:27 UTC
This issue has been addressed in the following products:

   	CloudForms Management Engine 5.5

Via RHSA-2015:2551 https://access.redhat.com/errata/RHSA-2015:2551

Comment 5 errata-xmlrpc 2015-12-16 13:20:04 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.4

Via RHSA-2015:2620 https://rhn.redhat.com/errata/RHSA-2015-2620.html


Note You need to log in before you can comment on or make changes to this bug.