First published: Wed May 11 2016(Updated: )
It was reported that engine-setup logs for RHEV-M contained enough information for extraction of admin password for RHEV-M. Specifically, it contains output of each SQL query with encrypted admin password from the database, and the result of esch external command execution including the openssl command that extracts the private key from the p12 bundle. Having both, encrypted password and private key in the same file gives ability for everyone, who is able to read log file, to obtain admin password. This issue was introduced with following commit: <a href="https://gerrit.ovirt.org/#/c/43578">https://gerrit.ovirt.org/#/c/43578</a>
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Enterprise Virtualization | =3.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.