Bug 1371428 (CVE-2016-5432) - CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username and password in plain text
Summary: CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username...
Status: CLOSED ERRATA
Alias: CVE-2016-5432
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160830,repor...
Keywords: Security
Depends On: 1371612 1371613
Blocks: 1371429
TreeView+ depends on / blocked
 
Reported: 2016-08-30 08:15 UTC by Martin Prpič
Modified: 2019-06-08 21:24 UTC (History)
15 users (show)

(edit)
It was found that the ovirt-engine-provisiondb utility did not correctly sanitize the authentication details used with the “—provision*db” options from the output before storing them in log files. This could allow an attacker with read access to these log files to obtain sensitive information such as passwords.
Clone Of:
(edit)
Last Closed: 2016-09-29 19:12:10 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1967 normal SHIPPED_LIVE Moderate: org.ovirt.engine-root security, bug fix, and enhancement update 2016-09-29 01:02:10 UTC

Description Martin Prpič 2016-08-30 08:15:02 UTC
When ovirt-engine-provisiondb, a utility usually called by engine-backup, was passed one of the '--provision*db' options to create postgresql DBs/users, the password of the created user is stored in the log file in plain text.

Comment 1 Martin Prpič 2016-08-30 08:15:18 UTC
Acknowledgments:

Name: Yedidyah Bar David (Red Hat)

Comment 2 Martin Prpič 2016-08-30 08:16:08 UTC
Fix included in:

https://gerrit.ovirt.org/#/q/I40c88ad48f8f7c2b8e06802137870b0c198b5129

Comment 4 errata-xmlrpc 2016-09-28 22:16:33 UTC
This issue has been addressed in the following products:

  RHEV Engine version 4.0

Via RHSA-2016:1967 https://rhn.redhat.com/errata/RHSA-2016-1967.html


Note You need to log in before you can comment on or make changes to this bug.