Comment 6 for bug 1447866
Revision history for this message
| Nikhil Manchanda (slicknik) wrote Re: Couchbase use a password on the commandline (CVE-2015-3157) | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I spun up a couchbase instance and took a backup, and was able to repro this.
The password is not leaked in any of the service logs (i.e. trove api, taskmanager, or conductor) but it _is_ leaked in the trove-guestagent log. The guest-instance (as Thierry mentions above) is not accessible to users, so this is somewhat mitigated -- but I'd like to have this fixed in the guest-agent as hardening, so that we don't end up with the password in the log.
Thanks,
Nikhil