It was found that the ovirt-engine-provisiondb utility did not correctly sanitize the authentication details used with the “—provision*db” options from the output before storing them in log files. This could allow an attacker with read access to these log files to obtain sensitive information such as passwords.
When ovirt-engine-provisiondb, a utility usually called by engine-backup, was passed one of the '--provision*db' options to create postgresql DBs/users, the password of the created user is stored in the log file in plain text.
Name: Yedidyah Bar David (Red Hat)
Fix included in:
This issue has been addressed in the following products:
RHEV Engine version 4.0
Via RHSA-2016:1967 https://rhn.redhat.com/errata/RHSA-2016-1967.html