Bug 1371428 – CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username and password in plain text

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1371428 - (CVE-2016-5432) CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username and password in plain text

Summary:	CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username...

Status:	CLOSED ERRATA

Aliases:	CVE-2016-5432

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20160830,repor...
Keywords:	Security

Depends On:	1371612 1371613
Blocks:	1371429
	Show dependency tree / graph

Reported:	2016-08-30 04:15 EDT by Martin Prpič
Modified:	2016-09-29 15:12 EDT (History)
CC List:	15 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that the ovirt-engine-provisiondb utility did not correctly sanitize the authentication details used with the “—provision*db” options from the output before storing them in log files. This could allow an attacker with read access to these log files to obtain sensitive information such as passwords.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-09-29 15:12:10 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1967	normal	SHIPPED_LIVE	Moderate: org.ovirt.engine-root security, bug fix, and enhancement update	2016-09-28 21:02:10 EDT

Groups: None (edit)

Description Martin Prpič 2016-08-30 04:15:02 EDT

When ovirt-engine-provisiondb, a utility usually called by engine-backup, was passed one of the '--provision*db' options to create postgresql DBs/users, the password of the created user is stored in the log file in plain text.

Comment 1 Martin Prpič 2016-08-30 04:15:18 EDT

Acknowledgments:

Name: Yedidyah Bar David (Red Hat)

Comment 2 Martin Prpič 2016-08-30 04:16:08 EDT

Fix included in:

https://gerrit.ovirt.org/#/q/I40c88ad48f8f7c2b8e06802137870b0c198b5129

Comment 4 errata-xmlrpc 2016-09-28 18:16:33 EDT

This issue has been addressed in the following products:

  RHEV Engine version 4.0

Via RHSA-2016:1967 https://rhn.redhat.com/errata/RHSA-2016-1967.html

Note You need to log in before you can comment on or make changes to this bug.