Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1067265 - (CVE-2014-0085) CVE-2014-0085 Fuse: admin user cleartext password appears in logging
CVE-2014-0085 Fuse: admin user cleartext password appears in logging
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140414,reported=2...
: Security
Depends On:
Blocks: 1087102
  Show dependency treegraph
 
Reported: 2014-02-19 22:50 EST by Chess Hazlett
Modified: 2018-08-14 11:53 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-05-04 18:56:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0400 normal SHIPPED_LIVE Moderate: Red Hat JBoss Fuse 6.1.0 update 2014-04-14 14:27:37 EDT
Red Hat Product Errata RHSA-2014:0401 normal SHIPPED_LIVE Moderate: Red Hat JBoss A-MQ 6.1.0 update 2014-04-14 14:07:26 EDT

  None (edit)
Description Chess Hazlett 2014-02-19 22:50:18 EST 
Graeme Colman of Red Hat reported a sensitive data exposure flaw in Apache Zookeeper.  An admin user's password appeared in plaintext in binary log files.  A local user could read this information and use it to gain administrative access to the application.

Update 2018-08-06:

JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.
Comment 2 Martin Prpič 2014-04-10 11:27:37 EDT 
Acknowledgements:

This issue was discovered by Graeme Colman of Red Hat.
Comment 3 Chess Hazlett 2014-04-14 22:37:09 EDT 
This issue has been addressed in following products:

  Red Hat JBoss AM-Q 6.1.0

Via RHSA-2014:0401 https://rhn.redhat.com/errata/RHSA-2014-0401.html
Comment 4 Chess Hazlett 2014-04-14 22:40:20 EDT 
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html
Comment 5 michim 2014-04-23 19:31:00 EDT 
Could you provide more details on this bug? I'm guessing the binary log files refers to the transaction log files, and admin user's password is the password for znode's ACLs. Is that correct?
Comment 6 michim 2014-04-23 20:37:12 EDT 
Also, it would be great if you can share the fix so that the issue can be addressed in the upstream code base.

Thanks!
Comment 7 David Jorm 2014-06-10 00:05:04 EDT 
Statement:

This flaw only affects Apache Zookeeper in conjunction with Fuse Fabric. Fuse Fabric was storing cleartext passwords, which would appear as cleartext in Apache Zookeeper's log files. Fuse Fabric now encrypts passwords by default.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.