Bug 1363816 - password DWH_DB_PASSWORD not hidden
Summary: password DWH_DB_PASSWORD not hidden
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Services
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
high vote
Target Milestone: ovirt-4.0.3
: 4.0.3
Assignee: Yedidyah Bar David
QA Contact: Lukas Svaty
URL:
Whiteboard:
Depends On:
Blocks: 1369695 CVE-2016-6341
TreeView+ depends on / blocked
 
Reported: 2016-08-03 16:04 UTC by Fabrice Bacchella
Modified: 2017-05-11 09:26 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: DWH database is used by the engine for the new 4.0 dashboard feature, so credentials were added to its configuration, but not to the list of keys to filter in the logs. Consequence: DWH database password appears in the logs as-is. Fix: DWH_DB_PASSWORD was added to SENSITIVE_KEYS Result: The password is replaces with '***'
Clone Of:
: 1369695 (view as bug list)
Environment:
Last Closed: 2016-08-29 14:51:13 UTC
oVirt Team: Integration
rule-engine: ovirt-4.0.z+
ylavi: planning_ack+
sbonazzo: devel_ack+
lsvaty: testing_ack+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 62746 master MERGED packaging: services: Filter dwh db password in logs 2016-08-24 07:45:13 UTC
oVirt gerrit 62747 ovirt-engine-4.0 MERGED packaging: services: Filter dwh db password in logs 2016-08-24 08:01:57 UTC
oVirt gerrit 62748 ovirt-engine-4.0.3 MERGED packaging: services: Filter dwh db password in logs 2016-08-24 08:04:34 UTC

Description Fabrice Bacchella 2016-08-03 16:04:31 UTC
I the log files, I can see :
Value of property 'DWH_DB_PASSWORD' is 'myrealpassword'.

But at the same time:
Value of property 'ENGINE_SSO_CLIENT_SECRET' is '***'.

DWH_DB_PASSWORD should be hidden too

Comment 3 Yedidyah Bar David 2016-08-24 06:58:30 UTC
AFAICT this refers to engine log files, not dwh (or engine-setup). Changing product/component.

Comment 4 Red Hat Bugzilla Rules Engine 2016-08-24 06:59:31 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 5 Yedidyah Bar David 2016-08-24 07:27:43 UTC
Steps for reproduction/verification:

setup engine 4.0 with dwh
grep -R DWH_DB_PASSWORD /var/log/ovirt-engine/*

With broken version:

/var/log/ovirt-engine/engine.log:2016-08-24 10:10:20,764 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 45) [] Value of property 'DWH_DB_PASSWORD' is 'zJQ11m3Cl4tJIrXJ0sdKEj'.

With fixed version:

/var/log/ovirt-engine/engine.log:2016-08-24 10:14:20,444 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 46) [] Value of property 'DWH_DB_PASSWORD' is '***'.

Fabrice, please confirm. Did you see it elsewhere? And thanks for the report!

Comment 10 Fabrice Bacchella 2016-08-24 08:10:58 UTC
I don't remember seeing it elsewhere.

Comment 11 Lukas Svaty 2016-08-26 12:29:43 UTC
verified in ovirt-engine-setup-4.0.3-0.1.el7ev.noarch


Note You need to log in before you can comment on or make changes to this bug.