Bug 2128834 (CVE-2022-3261) - CVE-2022-3261 openstack: plain-text passwords saved in /var/log/messages
Summary: CVE-2022-3261 openstack: plain-text passwords saved in /var/log/messages
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2022-3261
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat2117459 Embargoed2128839
Blocks: Embargoed2121545
TreeView+ depends on / blocked
 
Reported: 2022-09-21 15:47 UTC by Sage McTaggart
Modified: 2022-12-07 17:32 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-12-07 17:32:52 UTC


Attachments (Terms of Use)

Description Sage McTaggart 2022-09-21 15:47:56 UTC
Description of problem:

There are multiple components that shows the plain-text passwords in /var/log/messages during openstack overcloud update run.

{'command': ['/bin/bash', '-c', "/usr/bin/virsh secret-define --file /etc/nova/secret.xml && /usr/bin/virsh secret-set-value --secret '3E4DB0C9-EA6B-4A8E-B3E1-FF8D5B3D2643' --base64 'SGVsbG8gdGhlcmUgOi0pCg=='"]

/usr/bin/redis-cli -s /var/run/redis/redis.sock -a <password> info 

mysql --defaults-extra-file=/etc/my.cnf -nNE --connect-timeout=10 --user=clustercheck --password=<password> --host=localhost --port=3306 -e SHOW STATUS LIKE 'wsrep_local_state'; 

mysql -nNE --user=clustercheck --password=<password> -h localhost -e show status like 'wsrep_cluster_status';


Version-Release number of selected component (if applicable):

RHOSP16.2

How reproducible:

openstack overcloud update run

And check /var/log/messages

Actual results:

Passwords are visible in /var/log/messages

Expected results:

The passwords should be redacted or hidden otherwise.

Additional info:

Comment 3 Product Security DevOps Team 2022-12-07 17:32:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3261


Note You need to log in before you can comment on or make changes to this bug.