Bug 1063641 (CVE-2014-0058)
| Summary: | CVE-2014-0058 Red Hat JBoss EAP6: Plain text password logging during security audit | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Arun Babu Neelicattu <aneelica> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | ajuricic, anil.saldhana, anmiller, arubin, bdawidow, bmaxwell, cdewolf, chazlett, cobrien, enagai, epp-bugs, fnasser, grocha, huwang, jawilson, jcoleman, jdg-bugs, jpallich, kconner, kejohnso, lgao, mjc, myarboro, pcheung, pgier, pskopek, pslavice, rhq-maint, rrajasek, rsvoboda, security-response-team, sguilhen, soa-p-jira, spinder, theute, ttarrant, vtunka, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:31:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1063643, 1063644, 1063645, 1071151, 1071152, 1071153, 1071154, 1071155, 1071156, 1071158, 1075590 | ||
| Bug Blocks: | 1064514, 1064517, 1082931, 1082938, 1093885, 1097027, 1141957, 1145284, 1159080, 1159088 | ||
|
Description
Arun Babu Neelicattu
2014-02-11 07:31:56 UTC
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.2.1 Via RHSA-2014:0205 https://rhn.redhat.com/errata/RHSA-2014-0205.html This issue has been addressed in following products: JBEAP 6.2 for RHEL 5 JBEAP 6.2 for RHEL 6 Via RHSA-2014:0204 https://rhn.redhat.com/errata/RHSA-2014-0204.html This issue has been addressed in following products: JBoss Data Grid 6.3.0 Via RHSA-2014:0895 https://rhn.redhat.com/errata/RHSA-2014-0895.html IssueDescription: It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials. This issue has been addressed in following products: JBoss Operations Network 3.2.2 Via RHSA-2014:0910 https://rhn.redhat.com/errata/RHSA-2014-0910.html This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2014:1291 https://rhn.redhat.com/errata/RHSA-2014-1291.html This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2014:1290 https://rhn.redhat.com/errata/RHSA-2014-1290.html This issue has been addressed in the following products: JBoss Fuse Service Works 6.0.0 Via RHSA-2014:1995 https://rhn.redhat.com/errata/RHSA-2014-1995.html This issue has been addressed in the following products: JBoss Data Virtualization 6.0.0 Via RHSA-2015:0034 https://rhn.redhat.com/errata/RHSA-2015-0034.html This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html |