RHUA password disclosure

Solution Verified - Updated -

Issue

We've found that using rhui-manager and providing user/pwd as an argument, another user can see our password if he
lists rhui-manager process.

Example of invocation:

# /usr/bin/rhui-manager --username admin --password fancypassword status --code

Example of ps:

root     28180  5.6  1.1 317620 21816 pts/0    R+   13:36   0:00 /usr/bin/python /usr/bin/rhui-manager --username admin --password fancypassword status --code

Version affected is RHUI 2.1-2

[root@xxx log]# rpm -qa | egrep "rhua|rhui"
gofer-0.65.rhui-1.el6_3.noarch
rh-rhui-tools-debug-script-2.1.19-1.el6_4.noarch
grinder-0.0.138.2-1.el6_4.rhui.noarch
gofer-package-0.65.rhui-1.el6_3.noarch
rh-rhui-tools-2.1.19-1.el6_4.noarch
rh-rhua-config-2.1-2.el6.noarch
python-gofer-0.65.rhui-1.el6_3.noarch
rh-rhua-selinux-policy-0.0.6-1.el6.noarch

Could it be possible to replace the password with *'s or something like that in order to not disclose our password?

Environment

  • Red Hat Update Infrastructure 2.1

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content