Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1063641 - (CVE-2014-0058) CVE-2014-0058 Red Hat JBoss EAP6: Plain text password logging during security audit
CVE-2014-0058 Red Hat JBoss EAP6: Plain text password logging during security...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140224,reported=2...
: Security
Depends On: 1063643 1063644 1063645 1071151 1071152 1071153 1071154 1071155 1071156 1071158 1075590
Blocks: 1064514 1064517 1082931 1082938 1093885 1097027 1141957 1145284 1159080 1159088
  Show dependency treegraph
 
Reported: 2014-02-11 02:31 EST by Arun Babu Neelicattu
Modified: 2018-02-06 14:20 EST (History)
38 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0204 normal SHIPPED_LIVE Low: Red Hat JBoss Enterprise Application Platform 6.2.1 security update 2014-02-24 20:40:07 EST
Red Hat Product Errata RHSA-2014:0205 normal SHIPPED_LIVE Low: Red Hat JBoss Enterprise Application Platform 6.2.1 security update 2014-02-24 20:40:03 EST
Red Hat Product Errata RHSA-2014:0895 normal SHIPPED_LIVE Moderate: Red Hat JBoss Data Grid 6.3.0 update 2014-07-16 17:12:23 EDT
Red Hat Product Errata RHSA-2014:0910 normal SHIPPED_LIVE Important: Red Hat JBoss Operations Network 3.2.2 update 2014-07-21 18:35:10 EDT
Red Hat Product Errata RHSA-2014:1290 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 update 2014-09-23 20:19:55 EDT
Red Hat Product Errata RHSA-2014:1291 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 update 2014-09-23 20:19:49 EDT
Red Hat Product Errata RHSA-2014:1995 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2014-12-15 20:35:32 EST
Red Hat Product Errata RHSA-2015:0034 normal SHIPPED_LIVE Moderate: Red Hat JBoss Data Virtualization 6.0.0 security update 2015-01-12 17:32:40 EST
Red Hat Product Errata RHSA-2015:1009 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 15:14:47 EDT

  None (edit)
Description Arun Babu Neelicattu 2014-02-11 02:31:56 EST 
It was identified that web auditing, as provided by Red Hat JBoss Enterprise Application Platform 6, logged request parameters in plain text. This may include passwords used for authentication mechanisms such as BASIC and FORMAUTH. A local attacker, with access to audit logs, could compromise application/server credentials.
Comment 4 errata-xmlrpc 2014-02-24 12:46:55 EST 
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.1

Via RHSA-2014:0205 https://rhn.redhat.com/errata/RHSA-2014-0205.html
Comment 5 errata-xmlrpc 2014-02-24 14:59:59 EST 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5
  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0204 https://rhn.redhat.com/errata/RHSA-2014-0204.html
Comment 18 errata-xmlrpc 2014-07-16 13:12:49 EDT 
This issue has been addressed in following products:

  JBoss Data Grid 6.3.0

Via RHSA-2014:0895 https://rhn.redhat.com/errata/RHSA-2014-0895.html
Comment 19 Martin Prpič 2014-07-17 10:17:23 EDT 
IssueDescription:

It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.
Comment 20 errata-xmlrpc 2014-07-21 14:35:17 EDT 
This issue has been addressed in following products:

  JBoss Operations Network 3.2.2

Via RHSA-2014:0910 https://rhn.redhat.com/errata/RHSA-2014-0910.html
Comment 23 errata-xmlrpc 2014-09-23 16:20:26 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2014:1291 https://rhn.redhat.com/errata/RHSA-2014-1291.html
Comment 24 errata-xmlrpc 2014-09-23 16:21:44 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2014:1290 https://rhn.redhat.com/errata/RHSA-2014-1290.html
Comment 25 errata-xmlrpc 2014-12-15 15:36:16 EST 
This issue has been addressed in the following products:

  JBoss Fuse Service Works 6.0.0

Via RHSA-2014:1995 https://rhn.redhat.com/errata/RHSA-2014-1995.html
Comment 26 errata-xmlrpc 2015-01-12 12:33:11 EST 
This issue has been addressed in the following products:

  JBoss Data Virtualization 6.0.0

Via RHSA-2015:0034 https://rhn.redhat.com/errata/RHSA-2015-0034.html
Comment 28 errata-xmlrpc 2015-05-14 11:15:50 EDT 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.