Cloud Platform
Solutions
Cloud Platform Apps
Customers
Partners
Community
Support
Company
Login
Contact us
Try it

Security advisory.

Possible information disclosure for Qualys Cloud Agent for Linux

Advisory ID: Q-PSA-2022-02
CVE ID:  CVE-2022-29550
Published: 2022-08-15
Last Update:  2022-08-15
CWE: CWE-312, CWE-200

Risk Factor

NVD Risk Rating Qualys Risk Rating
CVSSv3.1 Score 5.5, Medium Unchanged
CVSSv3.1 Vector (Base) AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Unchanged

Description

Qualys Cloud Agent for Linux writes the output of the ps auxwwe command to the /var/log/qualys/qualys-cloud-agent-scan.log file when the logging level is configured to trace. While this level of logging is often required by customers for troubleshooting, customer credentials or other secrets could be unexpectedly written to the Qualys logs from environment variables if set by the customer.

NOTE: qualys-cloud-agent-scan.log can only be read by the root user on the system.

Solution

Qualys Cloud Agent for Linux default logging level set to Informational. At this logging level, the output from the ps auxwwe is not written to the qualys-cloud-agent-scan.log. Qualys documentation updated to support customer decision-making on appropriate logging levels and related security considerations.

Affected Products

Qualys Cloud Agent for Linux

Severity Considerations

Not applicable

Acknowledgments

Unqork Security Team (Justin Borland , Daniel Wood , David Heise , Bryan Li)

View more security advisories