Bug 1210154

This bug affects also:

* KickstartFormatter.getCommands() that logs some command parameters at line 326, one of those can be 'rootpw', suggesting a root password.
* KickstartFormatter generateActivationKeyString() and generateActKeyTokens() disclosing activation keys and tokens

This bug affects also updateCobblerFields() method defined in com.redhat.rhn.manager.kickstart.cobbler.CobblerProfileCommand class where setRedHatManagementKey is disclosed in log file when debug log is enabled

This bug affects also saveCredentials() method from com.redhat.rhn.frontend.action.renderers.setupwizard.MirrorCredentialsRenderer.

username and password are logged to file if debug logging is enabled.

This bug affects also isPxtSessionKeyValid() method from com.redhat.rhn.manager.session.SessionManager class leaking ptx session cookie when debug log is enabled

(In reply to Paolo Perego from comment #0)
> Class SystemHandler from com.redhat.rhn.frontend.xmlrpc.system contains the
> following methods (in different prototypes):
> * bootstrap
> * bootstrapWithPrivateSshKey
> 
> They contain a log.debug() call that discloses the following sensitive
> information:
> 
> * ssh username
> * ssh password
> * activation keys
> * reactivation key
> * ssh private key
> * ssh private key password

This is not a problem.

1. username, activation keys and reactivation keys are not sensitive data.
2. ssh password, ssh private key and ssh private key password are **not** logged.

The "params" parameter is an instance of BootstrapParameters class.
The log.debug() is using the toString() method of this class which only print:

                .append("host", host)
                .append("port", port)
                .append("activationKeys", activationKeys)
                .append("proxyId", proxyId)
                .append("reactivationKey", reactivationKey)

... I continue to check the rest of the comments.

(In reply to Paolo Perego from comment #3)
> This bug affects also:
> 
> * KickstartFormatter.getCommands() that logs some command parameters at line
> 326, one of those can be 'rootpw', suggesting a root password.
> * KickstartFormatter generateActivationKeyString() and
> generateActKeyTokens() disclosing activation keys and tokens

Also not an issue.
Activation Keys are not secret

"rootpw" is only the option name. The Argument is not logged.
The line in the log looks like:

2023-04-13 16:07:18,872 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-2] DEBUG com.redhat.rhn.manager.kickstart.KickstartFormatter - getCommands name: rootpw

(In reply to Paolo Perego from comment #5)
> This bug affects also updateCobblerFields() method defined in
> com.redhat.rhn.manager.kickstart.cobbler.CobblerProfileCommand class where
> setRedHatManagementKey is disclosed in log file when debug log is enabled

The RedHatManagementKey is not secret.

I will create a patch for MirrorCredentialsRenderer and SessionManager.

changes merged. Closing as fixed

Ok, master needs to be fixed after the CRD. Reopen

Fixed

SUSE-RU-2023:2566-1: An update that solves one vulnerability, contains one feature and has 58 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1201063, 1203599, 1204089, 1204270, 1204900, 1205600, 1206060, 1206191, 1206423, 1206725, 1206783, 1207063, 1207595, 1207814, 1207829, 1207830, 1208288, 1208321, 1208427, 1208522, 1208536, 1208540, 1208550, 1208586, 1208661, 1208687, 1208719, 1208772, 1208965, 1209119, 1209143, 1209149, 1209215, 1209220, 1209231, 1209253, 1209277, 1209386, 1209395, 1209434, 1209508, 1209557, 1209926, 1209938, 1209993, 1210086, 1210094, 1210101, 1210107, 1210154, 1210162, 1210349, 1210437, 1210458, 1210776, 1210835, 1211956, 1211958, 1212363
CVE References: CVE-2023-22644
Jira References: MSQA-666
Sources used:
SUSE Manager Proxy 4.3 Module 4.3 (src): susemanager-build-keys-15.4.9-150400.3.20.2, spacecmd-4.3.21-150400.3.18.5, mgr-daemon-4.3.7-150400.3.9.5, spacewalk-web-4.3.31-150400.3.21.7, spacewalk-proxy-4.3.16-150400.3.20.6, spacewalk-backend-4.3.21-150400.3.21.13, spacewalk-proxy-installer-4.3.11-150400.3.6.4, uyuni-common-libs-4.3.8-150400.3.12.5
SUSE Manager Server 4.3 Module 4.3 (src): susemanager-4.3.27-150400.3.26.5, spacewalk-setup-4.3.16-150400.3.21.6, python-urlgrabber-4.1.0-150400.4.3.6.3, spacewalk-search-4.3.9-150400.3.12.7, virtual-host-gatherer-1.0.26-150400.3.12.3, perl-Satcon-4.3.2-150400.3.3.5, spacewalk-admin-4.3.11-150400.3.6.6, branch-network-formula-0.1.1680167239.23f2fec-150400.3.3.3, spacewalk-backend-4.3.21-150400.3.21.13, spacewalk-java-4.3.58-150400.3.46.4, supportutils-plugin-susemanager-4.3.7-150400.3.9.6, spacewalk-config-4.3.10-150400.3.6.3, susemanager-sls-4.3.33-150400.3.25.7, spacecmd-4.3.21-150400.3.18.5, hub-xmlrpc-api-0.7-150400.5.6.5, susemanager-docs_en-4.3-150400.9.27.3, susemanager-tftpsync-4.3.4-150400.3.9.9, cpu-mitigations-formula-0.5.0-150400.3.3.3, susemanager-schema-4.3.18-150400.3.18.7, susemanager-build-keys-15.4.9-150400.3.20.2, spacewalk-web-4.3.31-150400.3.21.7, cobbler-3.3.3-150400.5.25.3, uyuni-common-libs-4.3.8-150400.3.12.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-RU-2023:2592-1: An update that solves two vulnerabilities, contains one feature and has 90 recommended fixes can now be installed.

Category: recommended (important)
Bug References: 1201059, 1201063, 1203599, 1204089, 1204186, 1204270, 1204900, 1205011, 1205088, 1205600, 1205759, 1206060, 1206146, 1206191, 1206423, 1206520, 1206562, 1206725, 1206783, 1206800, 1206817, 1206861, 1206932, 1206963, 1206973, 1206979, 1206981, 1207063, 1207087, 1207141, 1207297, 1207352, 1207595, 1207792, 1207799, 1207814, 1207829, 1207830, 1207838, 1207867, 1207883, 1208046, 1208119, 1208288, 1208321, 1208325, 1208427, 1208522, 1208536, 1208540, 1208550, 1208586, 1208611, 1208661, 1208687, 1208719, 1208772, 1208908, 1209119, 1209143, 1209149, 1209215, 1209220, 1209231, 1209253, 1209259, 1209277, 1209369, 1209386, 1209395, 1209434, 1209508, 1209557, 1209926, 1209938, 1209993, 1210086, 1210094, 1210101, 1210107, 1210154, 1210162, 1210349, 1210437, 1210458, 1210776, 1210835, 1211956, 1211958, 1212096, 1212363, 1212516
CVE References: CVE-2022-46146, CVE-2023-22644
Jira References: MSQA-666
Sources used:
openSUSE Leap 15.4 (src): release-notes-susemanager-proxy-4.3.6-150400.3.55.4, release-notes-susemanager-4.3.6-150400.3.63.2
SUSE Manager Proxy 4.3 (src): release-notes-susemanager-proxy-4.3.6-150400.3.55.4
SUSE Manager Retail Branch Server 4.3 (src): release-notes-susemanager-proxy-4.3.6-150400.3.55.4
SUSE Manager Server 4.3 (src): release-notes-susemanager-4.3.6-150400.3.63.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-RU-2023:2595-1: An update that solves one vulnerability, contains one feature and has 36 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1179747, 1186011, 1203599, 1205600, 1206423, 1207550, 1207814, 1207941, 1208984, 1209220, 1209231, 1209277, 1209386, 1209434, 1209508, 1209877, 1209915, 1209926, 1210011, 1210086, 1210101, 1210107, 1210154, 1210162, 1210232, 1210311, 1210406, 1210437, 1210458, 1210659, 1210835, 1210957, 1211330, 1211956, 1211958, 1212096, 1212363
CVE References: CVE-2023-22644
Jira References: MSQA-674
Sources used:
SUSE Manager Proxy 4.2 Module 4.2 (src): spacewalk-backend-4.2.28-150300.4.41.4, spacecmd-4.2.23-150300.4.39.4, spacewalk-web-4.2.35-150300.3.44.4, spacewalk-ssl-cert-check-4.2.3-150300.3.3.2, susemanager-build-keys-15.3.9-150300.3.14.1, spacewalk-proxy-installer-4.2.12-150300.3.17.2, spacewalk-certs-tools-4.2.20-150300.3.30.4
SUSE Manager Server 4.2 Module 4.2 (src): inter-server-sync-0.2.8-150300.8.31.2, spacewalk-java-4.2.50-150300.3.66.5, hub-xmlrpc-api-0.7-150300.3.12.3, susemanager-schema-4.2.28-150300.3.38.4, cpu-mitigations-formula-0.5.0-150300.3.6.2, spacecmd-4.2.23-150300.4.39.4, susemanager-docs_en-4.2-150300.12.45.2, susemanager-4.2.42-150300.3.54.4, perl-Satcon-4.2.3-150300.3.3.3, susemanager-doc-indexes-4.2-150300.12.45.4, susemanager-build-keys-15.3.9-150300.3.14.1, branch-network-formula-0.1.1680167239.23f2fec-150300.3.6.2, spacewalk-backend-4.2.28-150300.4.41.4, spacewalk-certs-tools-4.2.20-150300.3.30.4, spacewalk-utils-4.2.19-150300.3.24.2, susemanager-sls-4.2.34-150300.3.51.1, spacewalk-web-4.2.35-150300.3.44.4, virtual-host-gatherer-1.0.26-150300.3.15.2, spacewalk-setup-4.2.12-150300.3.18.3, supportutils-plugin-susemanager-4.2.7-150300.3.15.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2023:2594-1: An update that solves two vulnerabilities, contains one feature and has 35 security fixes can now be installed.

Category: security (important)
Bug References: 1179747, 1186011, 1203599, 1205600, 1206423, 1207550, 1207814, 1207941, 1208046, 1208984, 1209220, 1209231, 1209277, 1209386, 1209434, 1209508, 1209877, 1209915, 1209926, 1210011, 1210086, 1210101, 1210107, 1210154, 1210162, 1210232, 1210311, 1210406, 1210437, 1210458, 1210659, 1210835, 1210957, 1211330, 1212096, 1212363, 1212517
CVE References: CVE-2022-46146, CVE-2023-22644
Jira References: MSQA-674
Sources used:
SUSE Manager Retail Branch Server 4.2 (src): release-notes-susemanager-proxy-4.2.13-150300.3.64.2
SUSE Manager Server 4.2 (src): release-notes-susemanager-4.2.13-150300.3.81.1
openSUSE Leap 15.3 (src): release-notes-susemanager-4.2.13-150300.3.81.1, release-notes-susemanager-proxy-4.2.13-150300.3.64.2
SUSE Manager Proxy 4.2 (src): release-notes-susemanager-proxy-4.2.13-150300.3.64.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.