Bug 1199641 - [GSS](6.4.z) LDAP Bind Credential Password is Logged
Summary: [GSS](6.4.z) LDAP Bind Credential Password is Logged
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.2.4
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: CR2
: EAP 6.4.1
Assignee: baranowb
QA Contact: Josef Cacek
URL:
Whiteboard:
Depends On:
Blocks: CVE-2015-1849 eap641-payload 1209958
TreeView+ depends on / blocked
 
Reported: 2015-03-06 20:52 UTC by Spolti
Modified: 2019-07-11 08:45 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
JBoss Issue Tracker SECURITY-877 Major Resolved AdvancedLdapLodinMogule is Logging LDAP Bind Credential Password during authentication. 2019-07-17 01:02:30 UTC

Comment 1 Tomas Hofman 2015-03-18 13:45:12 UTC
This problem is not present in EAP 6.4 (picketbox 4.1.1) anymore.

Comment 5 Spolti 2015-03-23 18:34:17 UTC
Description of problem:

The bind Credential are being logged:

2015-03-19 19:33:28,569 TRACE [org.jboss.security.auth.spi.AbstractServerLoginModule] (http-localhost/127.0.0.1:8080-1) Logging into LDAP server, env={baseFilter=(userPrincipalName={0}), java.naming.security.credentials=***, jboss.security.security_domain=SPNEGO, java.naming.ldap.attributes.binary=objectSid, password-stacking=useFirstPass, recurseRoles=false, java.naming.security.authentication=simple, baseCtxDN=DC=example,DC=com, roleAttributeIsDN=true, rolesCtxDN=DC=example,DC=com, java.naming.security.principal=bindUser, allowEmptyPassword=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://127.0.0.1:389, roleNameAttributeID=cn, roleAttributeID=memberOf, bindDN=bindUser, bindCredential=password}


Version-Release number of selected component (if applicable): EAP 6.2.4


How reproducible:
Setup the Ldap configurations and enable the TRACE log level.

Steps to Reproduce:
Setup the Ldap configurations and enable the TRACE log level and test a simple login page against the login-moule.

Actual results:
Bind Credential is logged.

Expected results:
The password should be masked.

Additional info:
Actually we have:

protected void traceLdapEnv(Properties env)
   {
      if (trace)
      {
         Properties tmp = new Properties();
         tmp.putAll(env);
         String credentials = tmp.getProperty(Context.SECURITY_CREDENTIALS);
         if (credentials != null && credentials.length() > 0)
            tmp.setProperty(Context.SECURITY_CREDENTIALS, "***");
         log.trace("Logging into LDAP server, env=" + tmp.toString());
      }
   }

The traceLdapEnv should looks like:

 protected void traceLdapEnv(Properties env)
   {
      if (trace)
      {
         Properties tmp = new Properties();
         tmp.putAll(env);
         String credentials = tmp.getProperty(Context.SECURITY_CREDENTIALS);
         String bindCredential = tmp.getProperty(BIND_CREDENTIAL);
         if (credentials != null && credentials.length() > 0)
            tmp.setProperty(Context.SECURITY_CREDENTIALS, "***");
  
         if (bindCredential != null && bindCredential.length() > 0)
            tmp.setProperty(BIND_CREDENTIAL, "***");

         log.trace("Logging into LDAP server, env=" + tmp.toString());
      }
   }

Comment 9 JBoss JIRA Server 2015-04-20 15:27:24 UTC
Darran Lofthouse <darran.lofthouse@jboss.com> updated the status of jira SECURITY-877 to Resolved

Comment 10 Rostislav Svoboda 2015-04-23 14:25:41 UTC
Please provide test (as discussed with Carlo) to include this in CP01 payload.
I will qa_ack afterwards.

Comment 11 FIlip Bogyai 2015-05-14 13:10:09 UTC
Verified in EAP 6.4.1.CR2

Comment 12 Rafael Chies 2015-06-16 00:39:26 UTC
Can we use VAULT to not put the plain password in the host.xml file?

Comment 13 FIlip Bogyai 2015-06-16 15:09:02 UTC
Yes, vault can be used to mask passwords also in host.xml file. Follow the steps in Security Guide: https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/html-single/Security_Guide/index.html#chap-Secure_Passwords_and_Other_Sensitive_Strings_with_Password_Vault
and place vault configuration here:

<host name="master" xmlns="urn:jboss:domain:1.7">
     <vault>
     ...
     </vault>
     <management>

Comment 14 dereed 2015-06-16 15:20:45 UTC
> Can we use VAULT to not put the plain password in the host.xml file?

Note that is completely unrelated to the issue on this BZ.

Comment 15 Petr Penicka 2017-01-17 10:01:32 UTC
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.

Comment 16 Petr Penicka 2017-01-17 10:01:33 UTC
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.


Note You need to log in before you can comment on or make changes to this bug.