CVE-2022-45154: 
Linux openSUSE vulnerability analysis and mitigation

A Cleartext Storage of Sensitive Information vulnerability (CVE-2022-45154) was discovered in supportutils of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, and SUSE Linux Enterprise Server 15 SP3. The vulnerability allows attackers who gain access to support logs to obtain stored credentials. This affects supportutils version 3.0.10-95.51.1 and prior versions for SLES 12, version 3.1.21-150000.5.44.1 and prior versions for SLES 15, and version 3.1.21-150300.7.35.15.1 and prior versions for SLES 15 SP3 (NVD).

The vulnerability is classified as CWE-312: Cleartext Storage of Sensitive Information. The issue occurs because supportconfig does not properly sanitize passwords in configuration files like /etc/iscsi/iscsid.conf and /etc/target/liosetup.sh when generating support logs. Specifically, it fails to replace sensitive password fields like 'node.session.auth.passwordin' and 'discovery.sendtargets.auth.passwordin' with placeholder text. The vulnerability has a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N according to NVD assessment (NVD, [SUSE Bug](https://bugzilla.suse.com/showbug.cgi?id=1207598)).

If exploited, this vulnerability allows attackers who gain access to support logs to view stored credentials in cleartext. This could potentially lead to unauthorized access to systems if the exposed credentials are valid and accessible to the attacker. The impact is primarily focused on confidentiality with no direct impact on integrity or availability (NVD).

SUSE has released security updates to address this vulnerability. The fixed versions are: supportutils-3.0.11-95.54.1 for SLES 12 SP5, supportutils-3.1.26-150000.5.50.1 for SLES 15 SP1/SP2, and supportutils-3.1.26-150300.7.35.21.1 for SLES 15 SP3 and later versions. As a workaround before applying the update, users can manually remove these passwords from etc.txt and fs-iscsi.txt after running supportconfig (SUSE Bug).