1512365 – (CVE-2017-15113) CVE-2017-15113 ovirt-engine: DEBUG logging includes unmasked passwords

Bug 1512365 (CVE-2017-15113) - CVE-2017-15113 ovirt-engine: DEBUG logging includes unmasked passwords

Summary: CVE-2017-15113 ovirt-engine: DEBUG logging includes unmasked passwords

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-15113
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1513329 1513331
Blocks:	1511511
TreeView+	depends on / blocked

Reported:	2017-11-13 02:33 UTC by Doran Moppert
Modified:	2021-02-17 01:15 UTC (History)
CC List:	17 users (show)
Fixed In Version:	ovirt-engine 4.1.7.6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-13 02:50:12 UTC
Embargoed:

Attachments	(Terms of Use)

Description Doran Moppert 2017-11-13 02:33:05 UTC

It was discovered that with log level set to "DEBUG", ovirt-engine includes
passwords in the log file without masking.

Note that only administrators can change the log level, and only administrators
can access logs. This presents a risk when debug-level logs are shared with
vendors etc to troubleshoot issues.

Upstream patch:

https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commitdiff;h=f4a5d0cc772127dbfe40789e26c4633ceea07d14;hp=e6e8704ac9eb115624ff66e2965877d8e63a45f4

Comment 1 Doran Moppert 2017-11-13 02:33:16 UTC

Acknowledgments:

Name: Jiri Belka (Red Hat)

Comment 2 Doran Moppert 2017-11-13 02:50:12 UTC

This was addressed in ovirt-engine-4.1.7.6-0.1:

https://access.redhat.com/errata/RHEA-2017:3138

Comment 4 Doran Moppert 2017-11-15 08:34:33 UTC

Created ovirt-engine tracking bugs for this issue:

Affects: fedora-all [bug 1513331]

Note You need to log in before you can comment on or make changes to this bug.