Bug 1838401 (CVE-2020-10750)
| Summary: | CVE-2020-10750 jaegertracing/jaeger: credentials leaked to container logs | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mark Cooper <mcooper> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abonas, askrabec, gbrown, kconner, psampaio, rcernich, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jaeger 1.18.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An information disclosure vulnerability was found in jaegertracing/jaeger. When the Kafka data store is used, this flaw allows an attacker with access to the container's log file to discover the Kafka credentials.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-06-19 17:20:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1838400 | ||
|
Description
Mark Cooper
2020-05-21 05:04:15 UTC
Looks like the issue is located here: https://github.com/jaegertracing/jaeger/blob/e46f87376bdd2a28864864eb385ff49a6aa76330/plugin/storage/kafka/factory.go#L69 // Initialize implements storage.Factory func (f *Factory) Initialize(metricsFactory metrics.Factory, logger *zap.Logger) error { f.metricsFactory, f.logger = metricsFactory, logger logger.Info("Kafka factory", zap.Any("producer builder", f.Builder), zap.Any("topic", f.options.topic)) Logging f.Builder gets initialized a few lines before with f.options.Config which contains the credentials: https://github.com/jaegertracing/jaeger/blob/e46f87376bdd2a28864864eb385ff49a6aa76330/plugin/storage/kafka/factory.go#L62 // InitFromViper implements plugin.Configurable func (f *Factory) InitFromViper(v *viper.Viper) { f.options.InitFromViper(v) f.Builder = &f.options.config } The log file then looks like: {"level":"info","ts":1590031704.5821817,"msg":"Kafka factory","producer builder":{"Brokers":["127.0.0.1:9092"],"RequiredAcks":1,"Compression":0,"CompressionLevel":0,"ProtocolVersion":"","BatchLinger":0,"BatchSize":0,"BatchMaxMessages":0,"Authentication":"none","Kerberos":{"ServiceName":"kafka","Realm":"","UseKeyTab":false,"Username":"","Password":"","ConfigPath":"/etc/krb5.conf","KeyTabPath":"/etc/security/kafka.keytab"},"TLS":{"Enabled":false,"CAPath":"","CertPath":"","KeyPath":"","ServerName":"","ClientCAPath":"","SkipHostVerify":false},"PlainText":{"UserName":"root","Password":"password"}},"topic":"jaeger-spans"} So the issue isn't localized to just plain text auth but perhaps kerberos as well if used. Whilst OpenShift ServiceMesh Jaeger does package the affected code (Kafka), the only supported storage backing is ElasticSearch. Additionally in the documentation/notes, only ElasticSearch is supported also - hence marking OSSM as affected but wontfix. Acknowledgments: Name: Carl Henrik Lunde (SpareBank 1) Statement: While OpenShift ServiceMesh Jaeger does package the affected code (Kafka), the only supported data store is ElasticSearch. Additionally, in the documentation and notes, only ElasticSearch is supported, marking OpenShift ServiceMesh as affected but WONTFIX. Upstream release now available: https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1 This issue has been addressed in the following products: Jaeger-1.17 Via RHSA-2020:2636 https://access.redhat.com/errata/RHSA-2020:2636 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10750 External References: https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1 |