Bug 1067265 (CVE-2014-0085) - CVE-2014-0085 Fuse: admin user cleartext password appears in logging
Summary: CVE-2014-0085 Fuse: admin user cleartext password appears in logging
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0085
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1087102
TreeView+ depends on / blocked
 
Reported: 2014-02-20 03:50 UTC by Chess Hazlett
Modified: 2023-05-12 15:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.
Clone Of:
Environment:
Last Closed: 2014-05-04 22:56:00 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0400 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Fuse 6.1.0 update 2014-04-14 18:27:37 UTC
Red Hat Product Errata RHSA-2014:0401 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss A-MQ 6.1.0 update 2014-04-14 18:07:26 UTC

Description Chess Hazlett 2014-02-20 03:50:18 UTC
Graeme Colman of Red Hat reported a sensitive data exposure flaw in Apache Zookeeper.  An admin user's password appeared in plaintext in binary log files.  A local user could read this information and use it to gain administrative access to the application.

Update 2018-08-06:

JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.

Comment 2 Martin Prpič 2014-04-10 15:27:37 UTC
Acknowledgements:

This issue was discovered by Graeme Colman of Red Hat.

Comment 3 Chess Hazlett 2014-04-15 02:37:09 UTC
This issue has been addressed in following products:

  Red Hat JBoss AM-Q 6.1.0

Via RHSA-2014:0401 https://rhn.redhat.com/errata/RHSA-2014-0401.html

Comment 4 Chess Hazlett 2014-04-15 02:40:20 UTC
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html

Comment 5 michim 2014-04-23 23:31:00 UTC
Could you provide more details on this bug? I'm guessing the binary log files refers to the transaction log files, and admin user's password is the password for znode's ACLs. Is that correct?

Comment 6 michim 2014-04-24 00:37:12 UTC
Also, it would be great if you can share the fix so that the issue can be addressed in the upstream code base.

Thanks!

Comment 7 David Jorm 2014-06-10 04:05:04 UTC
Statement:

This flaw only affects Apache Zookeeper in conjunction with Fuse Fabric. Fuse Fabric was storing cleartext passwords, which would appear as cleartext in Apache Zookeeper's log files. Fuse Fabric now encrypts passwords by default.


Note You need to log in before you can comment on or make changes to this bug.