1371428 – (CVE-2016-5432) CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username and password in plain text

Bug 1371428 (CVE-2016-5432) - CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username and password in plain text

Summary: CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-5432
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1371612 1371613
Blocks:	1371429
TreeView+	depends on / blocked

Reported:	2016-08-30 08:15 UTC by Martin Prpič
Modified:	2021-02-17 03:25 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that the ovirt-engine-provisiondb utility did not correctly sanitize the authentication details used with the “—provision*db” options from the output before storing them in log files. This could allow an attacker with read access to these log files to obtain sensitive information such as passwords.
Clone Of:
Environment:
Last Closed:	2016-09-29 19:12:10 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1967	0	normal	SHIPPED_LIVE	Moderate: org.ovirt.engine-root security, bug fix, and enhancement update	2016-09-29 01:02:10 UTC

Description Martin Prpič 2016-08-30 08:15:02 UTC

When ovirt-engine-provisiondb, a utility usually called by engine-backup, was passed one of the '--provision*db' options to create postgresql DBs/users, the password of the created user is stored in the log file in plain text.

Comment 1 Martin Prpič 2016-08-30 08:15:18 UTC

Acknowledgments:

Name: Yedidyah Bar David (Red Hat)

Comment 2 Martin Prpič 2016-08-30 08:16:08 UTC

Fix included in:

https://gerrit.ovirt.org/#/q/I40c88ad48f8f7c2b8e06802137870b0c198b5129

Comment 4 errata-xmlrpc 2016-09-28 22:16:33 UTC

This issue has been addressed in the following products:

  RHEV Engine version 4.0

Via RHSA-2016:1967 https://rhn.redhat.com/errata/RHSA-2016-1967.html

Note You need to log in before you can comment on or make changes to this bug.