Bug 1726223 (CVE-2019-10195)
| Summary: | CVE-2019-10195 ipa: Batch API logging user passwords to /var/log/httpd/error_log | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | msiddiqu | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | abokovoy, dblechte, dfediuck, eedri, fdc, frenaud, huzaifas, ipa-maint, jamison.bennett, jcholast, jhrozek, mgoldboi, michal.skrivanek, pvoborni, rcritten, rtillery, sbonazzo, security-response-team, sherold, ssorce, tscherf, twoerner, yturgema | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | FreeIPA 4.6.7, FreeIPA 4.7.4, FreeIPA 4.8.3 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: |
A flaw was found in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-02-04 20:09:36 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1728123, 1728124, 1728125, 1776939, 1777147, 1777252, 1777303, 1803828 | ||||||
| Bug Blocks: | 1723319 | ||||||
| Attachments: |
|
||||||
|
Description
msiddiqu
2019-07-02 11:10:43 UTC
Created attachment 1587101 [details]
Candidate patch
Patch tested successfully. I also ran the ipatests/test_xmlrpc/test_batch_plugin.py tests without any issue.
Example of output in /var/log/httpd/error_log when running in batch "ipa group_find" and "ipa passwd test SecretPwd":
ipa: DEBUG: raw: batch(group_find(None), passwd('test', '********', None))
ipa: DEBUG: batch(group_find(None), passwd('test', '********', None))
ipa: DEBUG: raw: group_find(None, version='2.233')
ipa: DEBUG: group_find(None, private=False, posix=False, external=False, nonposix=False, all=False, raw=False, version='2.233', no_members=True, pkey_only=False)
ipa: INFO: admin: batch: group_find(None): SUCCESS
ipa: DEBUG: raw: passwd('test', '********', None, version='2.233')
ipa: DEBUG: passwd(ipapython.kerberos.Principal('test'), '********', '********', version='2.233')
ipa: INFO: admin: batch: passwd('test', '********', None): SUCCESS
ipa: INFO: [jsonserver_kerb] admin: batch(group_find(None), passwd('test', '********', None)): SUCCESS
How should we go about releasing this? Is the upstream reporter going to disclose this at some point? Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6 matter? It is almost certainly affected too. Is a CVE going to be assigned? (In reply to Rob Crittenden from comment #4) > How should we go about releasing this? Is the upstream reporter going to > disclose this at some point? I am the reporter of this, so I can answer part of your questions. I do not have plans to disclose this. I look forward to using the batch API when RedHat releases this fix. Your patch is better than the one I originally provided with the report because it logs more information than the original one did. Thanks. > > Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6 > matter? It is almost certainly affected too. > > Is a CVE going to be assigned? In reply to comment #4: > How should we go about releasing this? Is the upstream reporter going to > disclose this at some point? > > Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6 > matter? It is almost certainly affected too. > This is rated as having moderate impact, so we will create unacked trackers for rhel-7/8. We dont plan to fix this for rhel-6 though. > Is a CVE going to be assigned? We will assign a cve id to this. In reply to comment #5: > (In reply to Rob Crittenden from comment #4) > > How should we go about releasing this? Is the upstream reporter going to > > disclose this at some point? > > I am the reporter of this, so I can answer part of your questions. I do not > have plans to disclose this. I look forward to using the batch API when > RedHat releases this fix. Your patch is better than the one I originally > provided with the report because it logs more information than the original > one did. Thanks. > > > > > Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6 > > matter? It is almost certainly affected too. > > > > Is a CVE going to be assigned? Hi Jamison, Since you reported this flaw, we would like to acknowledge you as the reporter. Are you ok with using your name "Jamison Bennett" as the reporter? or would you like something like "Jamison Bennett of Cloudera" ? Please let us know. HI Huzaifa, Yes, that would be awesome to use something like "Jamison Bennett of Cloudera". Thank you for checking. Thanks, Jamison Acknowledgments: Name: Jamison Bennett (Cloudera) Statement: This vulnerability exists in the server component of FreeIPA. Client packages are not affected. Releases 4.6.7, 4.7.4, and 4.8.3 are done for FreeIPA. The release tarballs are available in https://releases.pagure.org/freeipa. Upstream commit: https://pagure.io/freeipa/c/02ce407f5e10e670d4788778037892b58f80adc0 Created freeipa tracking bugs for this issue: Affects: fedora-all [bug 1777147] External References: https://www.freeipa.org/page/Releases/4.6.7 https://www.freeipa.org/page/Releases/4.7.4 https://www.freeipa.org/page/Releases/4.8.3 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0378 https://access.redhat.com/errata/RHSA-2020:0378 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10195 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:1269 https://access.redhat.com/errata/RHSA-2020:1269 |