Bug 2242156 (CVE-2023-5384)

Summary: CVE-2023-5384 infinispan: Credentials returned from configuration as clear text
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: chazlett, pjindal, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2242155    

Description Patrick Del Bello 2023-10-04 16:14:45 UTC 
When serializing the configuration for a cache to XML/JSON/YAML which contains credentials (JDBC store with connection pooling, Remote store) the credentials are returned in clear text as part of the configuration.

The issue's impact is limited because only users with the ADMIN permission can retrieve the cache configurations, and the recommended approach for connecting via JDBC is using the `datasource` configuration which does not expose the database credentials.
Comment 3 errata-xmlrpc 2023-12-06 19:04:01 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.6

Via RHSA-2023:7676 https://access.redhat.com/errata/RHSA-2023:7676