Security advisory.
Possible information disclosure for Qualys Cloud Agent for Linux
Advisory ID: | Q-PSA-2022-02 |
CVE ID: | CVE-2022-29550 |
Published: | 2022-08-15 |
Last Update: | 2022-08-15 |
CWE: | CWE-312, CWE-200 |
Risk Factor
NVD Risk Rating | Qualys Risk Rating | |
CVSSv3.1 Score | 5.5, Medium | Unchanged |
CVSSv3.1 Vector (Base) | AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H | Unchanged |
Description
Qualys Cloud Agent for Linux writes the output of the ps auxwwe command to the /var/log/qualys/qualys-cloud-agent-scan.log file when the logging level is configured to trace. While this level of logging is often required by customers for troubleshooting, customer credentials or other secrets could be unexpectedly written to the Qualys logs from environment variables if set by the customer.
Solution
Qualys Cloud Agent for Linux default logging level set to Informational. At this logging level, the output from the ps auxwwe is not written to the qualys-cloud-agent-scan.log. Qualys documentation updated to support customer decision-making on appropriate logging levels and related security considerations.
Affected Products
Qualys Cloud Agent for Linux
Severity Considerations
Not applicable
Further Information
References
Please provide links to release notes and documentation updates
Acknowledgments
Unqork Security Team (Justin Borland , Daniel Wood , David Heise , Bryan Li)