2083851 – (CVE-2022-1662) CVE-2022-1662 convert2rhel: ansible playbook passes credentials to convert2rhel via CLI

Bug 2083851 (CVE-2022-1662) - CVE-2022-1662 convert2rhel: ansible playbook passes credentials to convert2rhel via CLI

Summary: CVE-2022-1662 convert2rhel: ansible playbook passes credentials to convert2rh...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2022-1662
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2054854 2083859
TreeView+	depends on / blocked

Reported:	2022-05-10 19:33 UTC by Todd Cullum
Modified:	2022-07-14 13:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:	convert2rhel 0.26 Vivi
Clone Of:
Environment:
Last Closed:	2022-05-12 06:15:16 UTC
Embargoed:

Attachments	(Terms of Use)

Description Todd Cullum 2022-05-10 19:33:05 UTC

In convert2rhel 0.24 and 0.25, there's an ansible playbook named ansible/run-convert2rhel.yml which passes the Red Hat Subscription Manager user password via the CLI to convert2rhel. This could allow unauthorized local users to view the password via the process list while convert2rhel is running. However, this ansible playbook is only an example in the upstream repository and it is not shipped in officially supported versions of convert2rhel.

Commit that introduced the flaw: https://github.com/oamg/convert2rhel/commit/01a6d5596c88118b871f849077f4ffd44ba9e5aa
Upstream patch: https://github.com/oamg/convert2rhel/pull/493/commits/15cace456d06f31e7ddb7cdb443bd2cc8a1614e1

Comment 1 Product Security DevOps Team 2022-05-12 06:15:15 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1662

Note You need to log in before you can comment on or make changes to this bug.