CVE-2024-53979

Name of the Vulnerable Software and Affected Versions: ibm.ibm zhmc versions prior to 1.9.3

Description: The Ansible collection "ibm.ibm zhmc" for the IBM Z HMC writes password-like properties in clear text into its log file and into the output returned by some of its Ansible modules. This occurs when specific properties, such as boot ftp password, ssc master pw, zaware master pw, password, and bind password, are passed as input to certain modules, including zhmc partition, zhmc lpar, zhmc user, and zhmc ldap server definition. These properties appear in the module output when creating or updating resources and in the log file when the "log file" module input parameter is used.

Recommendations: To resolve the issue, upgrade to ibm.ibm zhmc version 1.9.3. As a temporary workaround, consider avoiding the use of the log file module input parameter to prevent log files from being created with clear text passwords. Restrict access to the log files to minimize the risk of exploitation. Avoid using the vulnerable modules with sensitive input until the issue is resolved. At the moment, there are no other known workarounds for this vulnerability.