Bug 2280249 (CVE-2024-4840) - CVE-2024-4840 rhosp-director: cleartext passwords exposed in logs
Summary: CVE-2024-4840 rhosp-director: cleartext passwords exposed in logs
Status: NEW
Alias: CVE-2024-4840
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2280252 2280253
Blocks: 2280250
TreeView+ depends on / blocked
Reported: 2024-05-13 16:53 UTC by Robb Gatica
Modified: 2024-05-30 22:41 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
An flaw was found in the OpenStack Platform (RHOSP) director, a toolset for installing and managing a complete RHOSP environment. Plaintext passwords may be stored in log files, which can expose sensitive information to anyone with access to the logs.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Robb Gatica 2024-05-13 16:53:44 UTC
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=2279386

Description of problem: 
It was found that DB_ROOT_PASSWORD and RABBITMQ_CLUSTER_COOKIE found in cleartext in /var/log/messages. This seems to happen when mysql container is bootstrapped. 

Version-Release number of selected component (if applicable):
17.1, as well as 16.2

How reproducible:

Steps to Reproduce:
1. run undercloud deploy or upgrade, or re-run undercloud install command

Actual results:
clear text passwords printed in logs

Expected results:
clear text passwords not printed in logs

Additional info:
This seems to happen even when undercloud_debug = false

Note You need to log in before you can comment on or make changes to this bug.