1363816 – password DWH_DB_PASSWORD not hidden

Bug 1363816 - password DWH_DB_PASSWORD not hidden

Summary: password DWH_DB_PASSWORD not hidden

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	Services
Sub Component:
Version:	4.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-4.0.3
Target Release:	4.0.3
Assignee:	Yedidyah Bar David
QA Contact:	Lukas Svaty
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1369695 CVE-2016-6341
TreeView+	depends on / blocked

Reported:	2016-08-03 16:04 UTC by Fabrice Bacchella
Modified:	2017-05-11 09:26 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Clones:	1369695 (view as bug list)
Environment:
Last Closed:	2016-08-29 14:51:13 UTC
oVirt Team:	Integration
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.0.z+ ylavi: planning_ack+ sbonazzo: devel_ack+ lsvaty: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	62746	master	MERGED	packaging: services: Filter dwh db password in logs	2021-02-18 23:05:01 UTC
oVirt gerrit	62747	ovirt-engine-4.0	MERGED	packaging: services: Filter dwh db password in logs	2021-02-18 23:05:01 UTC
oVirt gerrit	62748	ovirt-engine-4.0.3	MERGED	packaging: services: Filter dwh db password in logs	2021-02-18 23:05:02 UTC

Description Fabrice Bacchella 2016-08-03 16:04:31 UTC

I the log files, I can see :
Value of property 'DWH_DB_PASSWORD' is 'myrealpassword'.

But at the same time:
Value of property 'ENGINE_SSO_CLIENT_SECRET' is '***'.

DWH_DB_PASSWORD should be hidden too

Comment 3 Yedidyah Bar David 2016-08-24 06:58:30 UTC

AFAICT this refers to engine log files, not dwh (or engine-setup). Changing product/component.

Comment 4 Red Hat Bugzilla Rules Engine 2016-08-24 06:59:31 UTC

Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 5 Yedidyah Bar David 2016-08-24 07:27:43 UTC

Steps for reproduction/verification:

setup engine 4.0 with dwh
grep -R DWH_DB_PASSWORD /var/log/ovirt-engine/*

With broken version:

/var/log/ovirt-engine/engine.log:2016-08-24 10:10:20,764 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 45) [] Value of property 'DWH_DB_PASSWORD' is 'zJQ11m3Cl4tJIrXJ0sdKEj'.

With fixed version:

/var/log/ovirt-engine/engine.log:2016-08-24 10:14:20,444 INFO  [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 46) [] Value of property 'DWH_DB_PASSWORD' is '***'.

Fabrice, please confirm. Did you see it elsewhere? And thanks for the report!

Comment 10 Fabrice Bacchella 2016-08-24 08:10:58 UTC

I don't remember seeing it elsewhere.

Comment 11 Lukas Svaty 2016-08-26 12:29:43 UTC

verified in ovirt-engine-setup-4.0.3-0.1.el7ev.noarch

Note You need to log in before you can comment on or make changes to this bug.