Virt-install(1) utility used to provision new virtual machines has introduced an option '--unattended' to create VMs without user interaction. This option accepts guest VM password as command line arguments. Thus leaking them to others users on the system via process listing. It was introduced recently in the virt-manager v2.2.0 release. Upstream patch: --------------- -> https://www.redhat.com/archives/virt-tools-list/2019-July/msg00014.html Reference: ---------- -> https://virt-manager.org/download/ -> https://www.openwall.com/lists/oss-security/2019/07/03/1
Acknowledgments: Name: Daniel P. Berrangé (Red Hat Inc.)
Created virt-manager tracking bugs for this issue: Affects: fedora-all [bug 1726536]
External References: https://virt-manager.org/download/ https://www.openwall.com/lists/oss-security/2019/07/03/1
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3464 https://access.redhat.com/errata/RHSA-2019:3464
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10183