Bug 1371428 (CVE-2016-5432) - CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username and password in plain text
Summary: CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username...
Alias: CVE-2016-5432
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20160830,repor...
Keywords: Security
Depends On: 1371612 1371613
Blocks: 1371429
TreeView+ depends on / blocked
Reported: 2016-08-30 08:15 UTC by Martin Prpič
Modified: 2019-06-08 21:24 UTC (History)
15 users (show)

It was found that the ovirt-engine-provisiondb utility did not correctly sanitize the authentication details used with the “—provision*db” options from the output before storing them in log files. This could allow an attacker with read access to these log files to obtain sensitive information such as passwords.
Clone Of:
Last Closed: 2016-09-29 19:12:10 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1967 normal SHIPPED_LIVE Moderate: org.ovirt.engine-root security, bug fix, and enhancement update 2016-09-29 01:02:10 UTC

Description Martin Prpič 2016-08-30 08:15:02 UTC
When ovirt-engine-provisiondb, a utility usually called by engine-backup, was passed one of the '--provision*db' options to create postgresql DBs/users, the password of the created user is stored in the log file in plain text.

Comment 1 Martin Prpič 2016-08-30 08:15:18 UTC

Name: Yedidyah Bar David (Red Hat)

Comment 2 Martin Prpič 2016-08-30 08:16:08 UTC
Fix included in:


Comment 4 errata-xmlrpc 2016-09-28 22:16:33 UTC
This issue has been addressed in the following products:

  RHEV Engine version 4.0

Via RHSA-2016:1967 https://rhn.redhat.com/errata/RHSA-2016-1967.html

Note You need to log in before you can comment on or make changes to this bug.