| Summary: | LDAP bind username and password being logged in plain text | |||
|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Jared Deubel <jdeubel> | |
| Component: | Security | Assignee: | Joe Vlcek <jvlcek> | |
| Status: | CLOSED NOTABUG | QA Contact: | amogh <amavinag> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 5.5.0 | CC: | amavinag, cpelland, dajohnso, jhardy, jocarter, jprause, kseifried, mfeifer, obarenbo, sshveta | |
| Target Milestone: | GA | Keywords: | ZStream | |
| Target Release: | 5.6.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ldap | |||
| Fixed In Version: | 5.6.0.0 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1302062 (view as bug list) | Environment: | ||
| Last Closed: | 2016-05-16 20:35:33 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1302062 | |||
I've reproduced and root cased this. A fix is on the way. JoeV New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/edf9c91aef783dbd2d6233e25d885353811d46b5 commit edf9c91aef783dbd2d6233e25d885353811d46b5 Author: Joe VLcek <jvlcek> AuthorDate: Fri Jan 22 16:49:11 2016 -0500 Commit: Joe VLcek <jvlcek> CommitDate: Fri Jan 22 17:41:39 2016 -0500 When logging, mask LDAP credentials in nested hashes https://bugzilla.redhat.com/show_bug.cgi?id=1297576 lib/vmdb/config.rb | 22 +++++++++++-------- spec/lib/vmdb/config_spec.rb | 50 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+), 9 deletions(-) New commit detected on cfme/5.5.z: https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=d4c786e84a24e3450fb9cd0c565d1de5e313f51b commit d4c786e84a24e3450fb9cd0c565d1de5e313f51b Author: Joe VLcek <jvlcek> AuthorDate: Fri Jan 22 16:49:11 2016 -0500 Commit: Joe Rafaniello <jrafanie> CommitDate: Tue Jan 26 17:42:50 2016 -0500 When logging, mask LDAP credentials in nested hashes https://bugzilla.redhat.com/show_bug.cgi?id=1297576 lib/vmdb/config.rb | 22 +++++++++------- spec/lib/vmdb/config_spec.rb | 61 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 9 deletions(-) *** Bug 1297577 has been marked as a duplicate of this bug. *** Reopening: Turns out there are multiple places in the code that attempt to clean output for logging. Thank's to help from Milan I have located the source if other failures and will have a fix soon. New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/56258a2397a7b5392c342596dd0a9af0ace0da9c commit 56258a2397a7b5392c342596dd0a9af0ace0da9c Author: Joe VLcek <jvlcek> AuthorDate: Fri Feb 5 15:21:49 2016 -0500 Commit: Joe VLcek <jvlcek> CommitDate: Tue Feb 9 00:08:56 2016 -0500 Encrypt ldap bind password when queuing to MiqQueue https://bugzilla.redhat.com/show_bug.cgi?id=1297576 app/models/authenticator.rb | 10 ++++++++++ spec/models/authenticator/amazon_spec.rb | 1 + spec/models/authenticator/httpd_spec.rb | 1 + spec/models/authenticator/ldap_spec.rb | 24 ++++++++++++++++++++++++ 4 files changed, 36 insertions(+) New commit detected on cfme/5.5.z: https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=dbe4d18d8c9f3e732833da17d76705d71d6e4ee1 commit dbe4d18d8c9f3e732833da17d76705d71d6e4ee1 Author: Joe VLcek <jvlcek> AuthorDate: Fri Jan 22 16:49:11 2016 -0500 Commit: Milan Zazrivec <mzazrivec> CommitDate: Mon Feb 1 14:03:28 2016 +0100 When logging, mask LDAP credentials in nested hashes https://bugzilla.redhat.com/show_bug.cgi?id=1297576 lib/vmdb/config.rb | 22 +++++++++------- spec/lib/vmdb/config_spec.rb | 61 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 9 deletions(-) Detected commit referencing this ticket while ticket status is MODIFIED. bind_pwd is FILTERED in evm.log but grep is still listing the bind_pwd in plain text in apache/ssl_access.log. [root@host-192-168-100-51 log]# grep -ir bind_pwd . ./apache/ssl_access.log:10.13.129.33 - - [12/May/2016:14:45:13 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd= HTTP/1.1" 200 97 ./apache/ssl_access.log:10.13.129.33 - - [12/May/2016:14:45:16 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN TEXT HERE> HTTP/1.1" 200 97 ./apache/ssl_request.log:[12/May/2016:14:45:13 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN TEXT HERE> HTTP/1.1" 97 ./apache/ssl_request.log:[12/May/2016:14:45:16 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN TEXT HERE> HTTP/1.1" 97 ./preconfigure-logs/evm.log:[----] I, [2016-05-11T20:18:21.174536 #12260:7af990] INFO -- : :bind_pwd: moving this bug on to DEV. verified this bug in 5.6.0.6-beta2.5.20160511140943_ff75fb2 Joe, here are the two separate BZ's for UI and Applaiance logs: appliance: https://bugzilla.redhat.com/show_bug.cgi?id=1336541 webui: https://bugzilla.redhat.com/show_bug.cgi?id=1336538 closing this bz, as this problem will be handled with two separate bz's commented above. |
Description of problem: When the system is binding with CloudForms we are seeing that the password is being logged in plain text. from evm.log which is world readable ========================================================================================== [----] I, [2016-01-11T12:31:42.333099 #11821:9d1994] INFO -- : MIQ(MiqQueue.put) Message id: [777000000684681], id: [], Zone: [Census CloudForms], Role: [], Server: [54e1b3c4-9f3e-11e5-886e-00505685525e], Ident: [generic], Target id: [], Instance id: [], Task id: [], Command: [Authenticator::Ldap.authorize], Timeout: [600], Priority: [20], State: [ready], Deliver On: [], Data: [], Args: [{:basedn=>"DC=test,DC=system,DC=com", :bind_dn=>"CF3-user.com", :bind_pwd=>"PLAIN TEXT PASSWORD", :get_direct_groups=>true, :group_memberships_max_depth=>2, :ldaphost=>["system01.test.system.com"], :ldapport=>"636", :mode=>"ldaps", :user_suffix=>"test.system.com", :user_type=>"samaccountname", :amazon_key=>nil, :amazon_secret=>nil, :ldap_role=>true, :amazon_role=>false, :httpd_role=>false, :user_proxies=>[{}], :follow_referrals=>false, :sso_enabled=>false, :domain_prefix=>"EAD"}, 777000000002661, "test\\user1"] ========================================================================================== User password hashes are also being logged. ========================================================================================== [----] I, [2016-01-11T13:50:40.026319 #11803:467990] INFO -- : MIQ(MiqQueue#m_callback) Message id: [777000000685759], Invoking Callback with args: ["Finished", "ok", "Message delivered successfully", "#<User id: 777000000000002, name: \"John Doe\", email: \"johndoe.com\", icon: nil, created_on: \"2015-12-10 18:07:32\", updated_on: \"2016-01-11 18:50:40\", userid: \"johndoe.com\", settings: {}, filters: nil, lastlogon: \"2016-01-11 18:50:40\", lastlogoff: \"2016-01-11 17:20:03\", region: 777, current_group_id: 777000000000002, first_name: \"John\", last_name: \"doe\", password_digest: \"$2a$19$j2XjeqPzVELR.TOZ1vB0wOpIID/hy/uXc1qipSGqDaC...\">"] ========================================================================================== Version-Release number of selected component (if applicable): 5.5 How reproducible: Very