2004625 – BMC credentials could be logged if they change

Bug 2004625 - BMC credentials could be logged if they change

Summary: BMC credentials could be logged if they change

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Bare Metal Hardware Provisioning
Sub Component:
Version:	4.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.10.0
Assignee:	Zane Bitter
QA Contact:	Lubov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2009849
TreeView+	depends on / blocked

Reported:	2021-09-15 16:59 UTC by Zane Bitter
Modified:	2022-03-10 16:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2009849 (view as bug list)
Environment:
Last Closed:	2022-03-10 16:10:53 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	metal3-io baremetal-operator issues 980	None	open	BMC passwords can sometimes be logged	2021-09-15 16:59:38 UTC
Github	openshift baremetal-operator pull 180	None	open	Merge upstream 2021-10-01	2021-10-01 18:46:38 UTC
Red Hat Product Errata	RHSA-2022:0056	None	None	None	2022-03-10 16:11:36 UTC

Description Zane Bitter 2021-09-15 16:59:38 UTC

Beginning with 4.9, if the user changes the credentials for a BaremetalHost (by editing or changing the Secret that contains them), the baremetal operator may log the new credentials in the process of updating them in Ironic.

This is a very rare event as users don't generally change the BMC credentials, but it should be avoided.

Comment 2 Lubov 2021-10-14 18:07:29 UTC

verified on 4.10.0-0.nightly-2021-10-10-083341: no mention of the password after changed in secret

Comment 5 errata-xmlrpc 2022-03-10 16:10:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056

Note You need to log in before you can comment on or make changes to this bug.