Bug 1067265 (CVE-2014-0085)

Summary: CVE-2014-0085 Fuse: admin user cleartext password appears in logging
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: djorm, jrusnack, security-response-team, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-04 22:56:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1087102    

Description Chess Hazlett 2014-02-20 03:50:18 UTC 
Graeme Colman of Red Hat reported a sensitive data exposure flaw in Apache Zookeeper.  An admin user's password appeared in plaintext in binary log files.  A local user could read this information and use it to gain administrative access to the application.

Update 2018-08-06:

JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.
Comment 2 Martin Prpič 2014-04-10 15:27:37 UTC 
Acknowledgements:

This issue was discovered by Graeme Colman of Red Hat.
Comment 3 Chess Hazlett 2014-04-15 02:37:09 UTC 
This issue has been addressed in following products:

  Red Hat JBoss AM-Q 6.1.0

Via RHSA-2014:0401 https://rhn.redhat.com/errata/RHSA-2014-0401.html
Comment 4 Chess Hazlett 2014-04-15 02:40:20 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html
Comment 5 michim 2014-04-23 23:31:00 UTC 
Could you provide more details on this bug? I'm guessing the binary log files refers to the transaction log files, and admin user's password is the password for znode's ACLs. Is that correct?
Comment 6 michim 2014-04-24 00:37:12 UTC 
Also, it would be great if you can share the fix so that the issue can be addressed in the upstream code base.

Thanks!
Comment 7 David Jorm 2014-06-10 04:05:04 UTC 
Statement:

This flaw only affects Apache Zookeeper in conjunction with Fuse Fabric. Fuse Fabric was storing cleartext passwords, which would appear as cleartext in Apache Zookeeper's log files. Fuse Fabric now encrypts passwords by default.