Bug 1063641 (CVE-2014-0058) - CVE-2014-0058 Red Hat JBoss EAP6: Plain text password logging during security audit
Summary: CVE-2014-0058 Red Hat JBoss EAP6: Plain text password logging during security...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0058
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1063643 1063644 1063645 1071151 1071152 1071153 1071154 1071155 1071156 1071158 1075590
Blocks: 1064514 1064517 1082931 1082938 1093885 1097027 1141957 1145284 1159080 1159088
TreeView+ depends on / blocked
 
Reported: 2014-02-11 07:31 UTC by Arun Babu Neelicattu
Modified: 2021-02-17 06:53 UTC (History)
38 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:31:29 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0204 0 normal SHIPPED_LIVE Low: Red Hat JBoss Enterprise Application Platform 6.2.1 security update 2014-02-25 01:40:07 UTC
Red Hat Product Errata RHSA-2014:0205 0 normal SHIPPED_LIVE Low: Red Hat JBoss Enterprise Application Platform 6.2.1 security update 2014-02-25 01:40:03 UTC
Red Hat Product Errata RHSA-2014:0895 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Data Grid 6.3.0 update 2014-07-16 21:12:23 UTC
Red Hat Product Errata RHSA-2014:0910 0 normal SHIPPED_LIVE Important: Red Hat JBoss Operations Network 3.2.2 update 2014-07-21 22:35:10 UTC
Red Hat Product Errata RHSA-2014:1290 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 update 2014-09-24 00:19:55 UTC
Red Hat Product Errata RHSA-2014:1291 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 update 2014-09-24 00:19:49 UTC
Red Hat Product Errata RHSA-2014:1995 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2014-12-16 01:35:32 UTC
Red Hat Product Errata RHSA-2015:0034 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Data Virtualization 6.0.0 security update 2015-01-12 22:32:40 UTC
Red Hat Product Errata RHSA-2015:1009 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Description Arun Babu Neelicattu 2014-02-11 07:31:56 UTC 
It was identified that web auditing, as provided by Red Hat JBoss Enterprise Application Platform 6, logged request parameters in plain text. This may include passwords used for authentication mechanisms such as BASIC and FORMAUTH. A local attacker, with access to audit logs, could compromise application/server credentials.
Comment 4 errata-xmlrpc 2014-02-24 17:46:55 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.1

Via RHSA-2014:0205 https://rhn.redhat.com/errata/RHSA-2014-0205.html
Comment 5 errata-xmlrpc 2014-02-24 19:59:59 UTC 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5
  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0204 https://rhn.redhat.com/errata/RHSA-2014-0204.html
Comment 18 errata-xmlrpc 2014-07-16 17:12:49 UTC 
This issue has been addressed in following products:

  JBoss Data Grid 6.3.0

Via RHSA-2014:0895 https://rhn.redhat.com/errata/RHSA-2014-0895.html
Comment 19 Martin Prpič 2014-07-17 14:17:23 UTC 
IssueDescription:

It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.
Comment 20 errata-xmlrpc 2014-07-21 18:35:17 UTC 
This issue has been addressed in following products:

  JBoss Operations Network 3.2.2

Via RHSA-2014:0910 https://rhn.redhat.com/errata/RHSA-2014-0910.html
Comment 23 errata-xmlrpc 2014-09-23 20:20:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2014:1291 https://rhn.redhat.com/errata/RHSA-2014-1291.html
Comment 24 errata-xmlrpc 2014-09-23 20:21:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2014:1290 https://rhn.redhat.com/errata/RHSA-2014-1290.html
Comment 25 errata-xmlrpc 2014-12-15 20:36:16 UTC 
This issue has been addressed in the following products:

  JBoss Fuse Service Works 6.0.0

Via RHSA-2014:1995 https://rhn.redhat.com/errata/RHSA-2014-1995.html
Comment 26 errata-xmlrpc 2015-01-12 17:33:11 UTC 
This issue has been addressed in the following products:

  JBoss Data Virtualization 6.0.0

Via RHSA-2015:0034 https://rhn.redhat.com/errata/RHSA-2015-0034.html
Comment 28 errata-xmlrpc 2015-05-14 15:15:50 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Note You need to log in before you can comment on or make changes to this bug.