Bug 1683157 - CVE-2019-10194 ovirt-engine-metrics: disclosure of sensitive passwords in log files and ansible playbooks [rhev-m-4.3.z]
Summary: CVE-2019-10194 ovirt-engine-metrics: disclosure of sensitive passwords in log...
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2020-02-26
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-metrics
Version: 4.3.1
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ovirt-4.3.5-1
: 4.3.5
Assignee: Shirly Radco
QA Contact: Ivana Saranova
URL:
Whiteboard:
Depends On: 1715513
Blocks: 1723786 CVE-2019-10194
TreeView+ depends on / blocked
 
Reported: 2019-02-26 10:53 UTC by Avital Pinnick
Modified: 2019-08-15 13:29 UTC (History)
9 users (show)

Fixed In Version: ovirt-engine-metrics-1.3.3
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-15 13:29:27 UTC
oVirt Team: Metrics
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2499 0 None None None 2019-08-15 13:29:42 UTC
oVirt gerrit 98760 0 master MERGED Disabled logging for sensitive tasks 2020-09-07 07:45:22 UTC
oVirt gerrit 99251 0 master MERGED Remove generated openshift_logging_admin_password 2020-09-07 07:45:22 UTC
oVirt gerrit 99255 0 ovirt-engine-metrics-4.2 MERGED Remove generated openshift_logging_admin_password 2020-09-07 07:45:22 UTC
oVirt gerrit 99270 0 master MERGED Fix bug with root_password in vars.yaml 2020-09-07 07:45:21 UTC
oVirt gerrit 99272 0 ovirt-engine-metrics-4.2 MERGED Fix bug with root_password in vars.yaml 2020-09-07 07:45:21 UTC
oVirt gerrit 99361 0 ovirt-engine-metrics-4.2 MERGED Add no_log to metrics_store_post_installation.yaml.template 2020-09-07 07:45:21 UTC
oVirt gerrit 99364 0 ovirt-engine-metrics-4.2 MERGED Add no_log to metrics_store_post_installation.yaml.template 2020-09-07 07:45:21 UTC
oVirt gerrit 101213 0 master MERGED Remove unrequired debug messages 2020-09-07 07:45:22 UTC
oVirt gerrit 102025 0 master MERGED Hide sensitive data when running in verbose mode 2020-09-07 07:45:22 UTC

Description Avital Pinnick 2019-02-26 10:53:21 UTC
Metrics Store installation and configuration uses passwords for Subscription Manager, RHVM, Metrics Store VM root user, container registry, Kibana, and OpenShift console.

Tasks that use passwords should have `no_log: true` set to ensure that running a playbook in verbose mode does not expose passwords. 

In the latest patch set, `no_log: true` seems to be used only in ovirt-engine-metrics/roles/oVirt.read-local-pki-files/tasks/main.yml.

Comment 2 Ivana Saranova 2019-04-05 17:01:29 UTC
I found several issues when inspecting the code:

All the passwords are in plain text in these files:

/usr/share/ansible/roles/oVirt.metrics/roles/oVirt.origin-on-ovirt/vars.yaml
/usr/share/ansible/roles/oVirt.metrics/roles/oVirt.origin-on-ovirt/metrics_store_post_installation.yaml
/usr/share/ansible/roles/oVirt.metrics/roles/oVirt.origin-on-ovirt/files/vars.yaml
/usr/share/ansible/roles/oVirt.metrics/roles/oVirt.origin-on-ovirt/files/metrics_store_post_installation.yaml

Tested in:
ovirt-engine-metrics-1.2.1.3-1.el7ev.noarch

Comment 3 Ivana Saranova 2019-04-08 15:03:43 UTC
Installation failed on this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1697521

Tested in: 
ovirt-engine-metrics-1.3.0.1-1.el7ev.noarch
ovirt-engine-4.3.3.1-0.1.el7.noarch

Comment 5 Ivana Saranova 2019-04-10 14:16:24 UTC
There is still missing `no_log: true` in the metrics_post_installation.yml for the task [Assign the password immediately without login]. Running the install_okd.yml playbook with -vvv makes the password visible in plaintext in the log of the task. 

Tested in:
ovirt-engine-4.2.8.5-0.1.el7ev.noarch
ovirt-engine-metrics-1.2.2.2-1.el7ev.noarch

Also tested in:
ovirt-engine-4.3.3.1-0.1.el7.noarch
ovirt-engine-metrics-1.3.0.1-1.el7ev.noarch

Comment 9 Ivana Saranova 2019-05-30 14:32:49 UTC
Cannot verify due to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1715513

Comment 18 Doran Moppert 2019-07-08 06:46:45 UTC
A change was made (new impact, public date, or CSAw status) to the security issue(s) blocked by this tracker, resulting in a new SLA deadline. This bug must now be resolved by 26-Feb-2020.

Refer to this bug's Description for information about how to resolve this bug.

Comment 24 Ivana Saranova 2019-08-01 13:51:12 UTC
Steps:
1) Install metrics store according to the documentation
2) Run all the installation scripts in verbose mode and save the logs
3) Check that none of the logs or files generated by the installation contain any of the passwords used in the secure-vars.yaml file

Results:
No passwords in plaintext generated by installation

Verified in:
ovirt-engine-4.3.5.4-0.1.el7.noarch
ansible-2.8.3-1.el7ae.noarch
ovirt-engine-metrics-1.3.3.3-1.el7.noarch

Comment 27 errata-xmlrpc 2019-08-15 13:29:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2499


Note You need to log in before you can comment on or make changes to this bug.