Bug 1512365 (CVE-2017-15113) - CVE-2017-15113 ovirt-engine: DEBUG logging includes unmasked passwords
Summary: CVE-2017-15113 ovirt-engine: DEBUG logging includes unmasked passwords
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-15113
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1513329 1513331
Blocks: 1511511
TreeView+ depends on / blocked
 
Reported: 2017-11-13 02:33 UTC by Doran Moppert
Modified: 2019-09-29 14:25 UTC (History)
17 users (show)

Fixed In Version: ovirt-engine 4.1.7.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-13 02:50:12 UTC


Attachments (Terms of Use)

Description Doran Moppert 2017-11-13 02:33:05 UTC
It was discovered that with log level set to "DEBUG", ovirt-engine includes
passwords in the log file without masking.

Note that only administrators can change the log level, and only administrators
can access logs. This presents a risk when debug-level logs are shared with
vendors etc to troubleshoot issues.

Upstream patch:

https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commitdiff;h=f4a5d0cc772127dbfe40789e26c4633ceea07d14;hp=e6e8704ac9eb115624ff66e2965877d8e63a45f4

Comment 1 Doran Moppert 2017-11-13 02:33:16 UTC
Acknowledgments:

Name: Jiri Belka (Red Hat)

Comment 2 Doran Moppert 2017-11-13 02:50:12 UTC
This was addressed in ovirt-engine-4.1.7.6-0.1:

https://access.redhat.com/errata/RHEA-2017:3138

Comment 4 Doran Moppert 2017-11-15 08:34:33 UTC
Created ovirt-engine tracking bugs for this issue:

Affects: fedora-all [bug 1513331]


Note You need to log in before you can comment on or make changes to this bug.