Bug 875845
Summary: | ObfuscatedPropertySimple fails to de-obfuscate many passwords | |||
---|---|---|---|---|
Product: | [JBoss] JBoss Operations Network | Reporter: | Larry O'Leary <loleary> | |
Component: | Configuration | Assignee: | RHQ Project Maintainer <rhq-maint> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Mike Foley <mfoley> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | JON 3.1.1 | CC: | lkrejci, myarboro, skondkar | |
Target Milestone: | --- | |||
Target Release: | JON 3.1.2 | |||
Hardware: | All | |||
OS: | All | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 875848 876123 (view as bug list) | Environment: | ||
Last Closed: | 2013-09-11 10:58:47 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 875848 | |||
Bug Blocks: | 876123, 876480 |
Description
Larry O'Leary
2012-11-12 16:42:06 UTC
These two issues seem to be the root causes of the behaviour: https://issues.jboss.org/browse/SECURITY-344 https://issues.jboss.org/browse/SECURITY-563 The passwords stored as they are in the database are unfortunately unrecoverable so we'll have to clear them out in a special upgrade job / patch script. release/jon3.1.x http://git.fedorahosted.org/cgit/rhq/rhq.git/diff/?id=192aa76cabe45deca27f5feffefbb4a0b2f9fba0 Author: Lukas Krejci <lkrejci> Date: Tue Nov 13 14:18:41 2012 +0100 [BZ 875848] - Use the fixed version of the password obfuscation as found in Picketbox. (cherry picked from commit 7c4eb7ac4967f2e0e0630fe921268bff7093b077) Repro steps: 1) Go to Administration / Content Sources 2) Select the "JBoss CP Patch Feed" content source 3) Edit the "CSP Feed Settings" 4) Set any user name and "dv" as a password. 5) Click save 6) Navigate away from the content detail page (click on any link in the left nav area) 7) Click on the "Content Sources" Actual Results: The "JBoss CP Patch Feed" no longer shows up in the list of content sources, error in the server log caused by "javax.crypto.IllegalBlockSizeException" Expected Results: The feed is updated OK, no errors anywhere. Repro steps for upgrade: 1) Perform the above repro steps on JON 3.1.1 instance. 2) Upgrade the instance to JON 3.1.2, keeping the database 3) Navigate to Administration / Content Sources Expected results: The "JBoss CP Patch Feed" is again visible and the password field is empty. Moving to ON_QA as available for test with build : https://brewweb.devel.redhat.com//buildinfo?buildID=244662. I was wrong with the repro steps. In the end, the encoding phase has not changed (nor did it change in the upstream, see http://anonsvn.jboss.org/repos/picketbox/trunk/security-jboss-sx/jbosssx/src/main/java/org/picketbox/datasource/security/SecureIdentityLoginModule.java) so only the decoding needed the fixes. This means that the pre-existing persisted passwords contain all the information needed for decoding (i.e. the encoding done at persist time was always working correctly). The fix only enables all such encoded passwords to get correctly decoded. Therefore there should be NO emptied passwords and things should start just work automagically. Verified on JON 3.1.2 ER2 and upgrading from JON 3.1.1 to JON 3.1.2 ER2 build. No errors are observed in server log and the "JBoss CP Patch Feed" is visible. Works as expected. |