Bug 1103324 (CVE-2014-3925) - CVE-2014-3925 sos: does not indicate data sent is potentially sensitive on Red Hat Enterprise Linux 5
Summary: CVE-2014-3925 sos: does not indicate data sent is potentially sensitive on Re...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3925
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1065468
Blocks: 1101415
TreeView+ depends on / blocked
 
Reported: 2014-05-30 18:13 UTC by Vincent Danen
Modified: 2021-02-17 06:31 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 14:58:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2014-05-30 18:13:18 UTC 
As noted in bug #1102633, Red Hat Enterprise Linux 5 does not contain the following preamble when running sosreport:

"The generated archive may contain data considered sensitive and its
content should be reviewed by the originating organization before being
passed to any third party."

As a result, a user might assume that the contents of the sosreport archive are sanitized and do not contain any sensitive information.  While sosreport does try to remove some common files that contain passwords or other sensitive information (like kerberos keytabs, etc.), it's impossible to catch everything and it is never claimed that it does.

MITRE has assigned CVE-2014-3925 to the implementation of sosreport on Red Hat Enterprise Linux 5 precisely for this reason [1].

[1] http://www.openwall.com/lists/oss-security/2014/05/30/3
Comment 2 Vincent Danen 2015-08-22 14:58:17 UTC 
This was fixed in https://rhn.redhat.com/errata/RHBA-2014-1200.html


Statement:

This issue did not affect the versions of sosreport as shipped with Red Hat Enterprise Linux 6.
Note You need to log in before you can comment on or make changes to this bug.