Bug 1283019 - (CVE-2015-7502) CVE-2015-7502 CloudForms: insecure password storage in PostgreSQL database
CVE-2015-7502 CloudForms: insecure password storage in PostgreSQL database
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151118,repor...
: Security
Depends On: 1283325 1283367 1283369
Blocks: 1283021
  Show dependency treegraph
 
Reported: 2015-11-17 23:07 EST by Kurt Seifried
Modified: 2015-12-16 12:06 EST (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A privilege escalation flaw was discovered in CloudForms, where in certain situations, CloudForms could read encrypted data from the database and then write decrypted data back into the database. If the database was then exported or log files generated, a local attacker might be able to gain access to sensitive information.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-16 12:06:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2015-11-17 23:07:14 EST
It is reported that CloudForms fails to protect potentially sensitive data 
stored in the backend PostgreSQL database. This is due to encrypted data being decrypted and then stashed in data structures which may be inadvertently exposed (e.g. through database log files).
Comment 4 errata-xmlrpc 2015-12-08 08:48:27 EST
This issue has been addressed in the following products:

   	CloudForms Management Engine 5.5

Via RHSA-2015:2551 https://access.redhat.com/errata/RHSA-2015:2551
Comment 5 errata-xmlrpc 2015-12-16 08:20:04 EST
This issue has been addressed in the following products:

  CloudForms Management Engine 5.4

Via RHSA-2015:2620 https://rhn.redhat.com/errata/RHSA-2015-2620.html

Note You need to log in before you can comment on or make changes to this bug.