RHV Engine and Host Common Packages security update



Published: 2021-07-26
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-3447
CWE-ID CWE-532
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		python-ovirt-engine-sdk4 (Red Hat package)
Operating systems & Components / Operating system package or component

ovirt-ansible-collection (Red Hat package)
Operating systems & Components / Operating system package or component

ansible (Red Hat package)
Operating systems & Components / Operating system package or component

ovirt-openvswitch (Red Hat package)
Operating systems & Components / Operating system package or component

ovirt-imageio (Red Hat package)
Operating systems & Components / Operating system package or component

Red Hat Virtualization Manager
Client/Desktop applications / Virtualization software

Red Hat Enterprise Linux for Power, little endian
Operating systems & Components / Operating system

Red Hat Enterprise Linux for x86_64
Operating systems & Components / Operating system

Red Hat Virtualization
Server applications / Virtualization software

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Inclusion of Sensitive Information in Log Files

EUVDB-ID: #VU52984

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3447

CWE-ID: CWE-532 - Information Exposure Through Log Files

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. A local user can read the log files and gain access to sensitive data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python-ovirt-engine-sdk4 (Red Hat package): 4.4.12-1.el8ev

ovirt-ansible-collection (Red Hat package): 1.4.2-1.el8ev

ansible (Red Hat package): 2.9.4-1.el8ae - 2.9.18-1.el8ae

Red Hat Virtualization Manager: 4.4

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for x86_64: 8.0

Red Hat Virtualization: 4

ovirt-openvswitch (Red Hat package): before 2.11-1.el8ev

ovirt-imageio (Red Hat package): before 2.2.0-1.el8ev

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2021:2866


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###