Headline
CVE-2022-2806: [ovirt] answer files: Filter out all password keys by didib · Pull Request #2947 · sosreport/sos
It was found that the ovirt-log-collector/sosreport collects the RHV admin password unfiltered. Fixed in: sos-4.2-20.el8_6, ovirt-log-collector-4.4.7-2.el8ev
Instead of hard-coding specific keys and having to maintain them over
time, replace the values of all keys that have ‘password’ in their name.
I think this covers all our current and hopefully future keys. It might
add “false positives” - keys that are not passwords but have ‘password’
in their name - and I think that’s a risk worth taking.
A partial list of keys added since the replaced code was written:
- grafana-related stuff
- keycloak-related stuff
- otopi-style answer files
Please place an ‘X’ inside each '[]' to confirm you adhere to our Contributor Guidelines
- Is the commit message split over multiple lines and hard-wrapped at 72 characters?
- Is the subject and message clear and concise?
- Does the subject start with [plugin_name] if submitting a plugin patch or a [section_name] if part of the core sosreport code?
- Does the commit contain a Signed-off-by: First Lastname [email protected]?
- Are any related Issues or existing PRs properly referenced via a Closes (Issue) or Resolved (PR) line?
Related news
Ubuntu Security Notice 5636-1 - It was discovered that SoS incorrectly handled certain data. An attacker could possibly use this issue to expose sensitive information.
Red Hat Security Advisory 2022-6393-01 - The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. Issues addressed include code execution, cross site scripting, and denial of service vulnerabilities.