oss-sec mailing list archives

CVE-2017-2672: Foreman image password disclosure in audit log

From: Dominic Cleal <dominic () cleal org>
Date: Thu, 6 Apr 2017 14:22:55 +0100

CVE-2017-2672: Foreman compute resource image passwords disclosed via
audit log

When images for compute resources (e.g. an OpenStack image) are
added/registered in Foreman, the password used to log in is recorded in
plain text in the audit log. This may allow users with access to view
the audit log to access newly provisioned hosts using the stored
credentials.

Mitigation: remove view_audit_logs permission from users, change image
passwords.

This issue was reported by Daniel Kimsey.

Affects Foreman 1.4 and higher
Fix due to be released

Patch:
https://github.com/theforeman/foreman/commit/02489389f1a4443e1f437b86aa7ce245f1437020

More information:
https://theforeman.org/security.html#2017-2672
http://projects.theforeman.org/issues/19169
https://theforeman.org

-- 
Dominic Cleal
dominic () cleal org

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE-2017-2672: Foreman image password disclosure in audit log Dominic Cleal (Apr 06)