Bug 2128834 (CVE-2022-3261) - CVE-2022-3261 openstack: plain-text passwords saved in /var/log/messages
Summary: CVE-2022-3261 openstack: plain-text passwords saved in /var/log/messages
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3261
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 2212327 2212531 (view as bug list)
Depends On: 2117459 2128839
Blocks: 2121545 2212327
TreeView+ depends on / blocked
 
Reported: 2022-09-21 15:47 UTC by Sage McTaggart
Modified: 2023-11-20 20:25 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenStack. Multiple components show plain-text passwords in /var/log/messages during the OpenStack overcloud update run, leading to a disclosure of sensitive information problem.
Clone Of:
Environment:
Last Closed: 2022-12-07 17:32:52 UTC
Embargoed:

Attachments (Terms of Use)

Description Sage McTaggart 2022-09-21 15:47:56 UTC 
Description of problem:

There are multiple components that shows the plain-text passwords in /var/log/messages during openstack overcloud update run.

{'command': ['/bin/bash', '-c', "/usr/bin/virsh secret-define --file /etc/nova/secret.xml && /usr/bin/virsh secret-set-value --secret '3E4DB0C9-EA6B-4A8E-B3E1-FF8D5B3D2643' --base64 'SGVsbG8gdGhlcmUgOi0pCg=='"]

/usr/bin/redis-cli -s /var/run/redis/redis.sock -a <password> info 

mysql --defaults-extra-file=/etc/my.cnf -nNE --connect-timeout=10 --user=clustercheck --password=<password> --host=localhost --port=3306 -e SHOW STATUS LIKE 'wsrep_local_state'; 

mysql -nNE --user=clustercheck --password=<password> -h localhost -e show status like 'wsrep_cluster_status';


Version-Release number of selected component (if applicable):

RHOSP16.2

How reproducible:

openstack overcloud update run

And check /var/log/messages

Actual results:

Passwords are visible in /var/log/messages

Expected results:

The passwords should be redacted or hidden otherwise.

Additional info:
Comment 3 Product Security DevOps Team 2022-12-07 17:32:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3261
Comment 4 Anten Skrabec 2023-06-06 19:29:20 UTC 
*** Bug 2212327 has been marked as a duplicate of this bug. ***
Comment 5 Anten Skrabec 2023-06-06 19:29:31 UTC 
*** Bug 2212531 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.