An information-disclosure flaw was found in the way gluster-block logs
sensitive information. This flaw allows an attacker with access to the
gluster-block logs to read potentially sensitive information, such as
the CHAP passwords for block volumes.
When tuned to debug log-level, gluster-block captutures the targetcli exec
commands output at gluster-blockd.log which might contain sensitive details.
Also block volume create/modify/info cli command outputs might contain
sensitive information, as part of the audit logging these outputs will be
captured at cmd_history.log and gluster-blockd.log
What does this PR achieve? Why do we need it?
An information-disclosure flaw was found in the way gluster-block logs sensitive information. This flaw allows an attacker with access to the gluster-block logs to read potentially sensitive information, such as the CHAP passwords for block volumes.
When tuned to debug log-level, gluster-block captutures the targetcli exec commands output at gluster-blockd.log which might contain sensitive details. Also block volume create/modify/info cli command outputs might contain sensitive information, as part of the audit logging these outputs will be captured at cmd_history.log and gluster-blockd.log
Does this PR fix issues?
Fixes: CVE-2020-10762